You’ve likely watched a TV show or movie lately where a cybercriminal hacks into a driverless car or breaks into a home via the baby monitor — but this isn’t just the stuff of movies. The pervasiveness of smart ‘things’ poses a serious security threat at home and in the workplace.
Thanks to the Internet of Things (IoT), more devices are being connected to the network than ever before. But your network was designed for computers and mobile devices — not coffee machines and thermostats. And you probably haven’t given much thought to securing your coffee machine or thermostat. But you should.
How it can happen
Cisco provides a hypothetical example of an IoT attack in this video, where a cybercriminal hacks into a research facility that’s developing cameras for driverless cars. He does this by launching an IFrame injection attack on a website for an old-school bowling alley where the facility’s engineers bowl on Wednesday nights.
One week later, an engineer from the hypothetical facility checks the bowling alley website and ends up with malware on his laptop, spreading it onto the corporate network. It’s discovered, the laptop is wiped and the network is scanned — but not for everything. They don’t think to scan the thermostat, which is connected to the entire network.
In this scenario, the hacker gains access to trade secrets by accessing the network via the thermostat, which he sells to a competitor. Considering that Gartner estimates some 20 billion devices will be connected to the Internet by 2020, this type of scenario could become more of a reality.
The cost of an attack
Gartner also estimates that more than 50 per cent of major new business processes and systems will include an IoT component by 2020 — and that addressing security compromises related to IoT will jack costs up to 20 per cent of annual security budgets.
When one device is compromised, the entire system of interconnected devices is compromised. This holds serious — and scary — implications, from hacking into life-saving medical devices to launching distributed denial of service (DDoS) attacks that shut down critical infrastructure.
The first major attack to gain widespread attention was the August 2016 Mirai botnet attack, which targeted IoT devices such as security cameras and wireless routers, turned them into bots and unleashed a massive DDoS attack. A few months later, another massive DDoS attack shut down major sites such as Twitter, CNN and Netflix.
Not being able to binge-watch certain shows was an annoyance, but IoT attacks have the potential to be much more nefarious. Last August, 500,000 pacemakers were recalled in the U.S. over fears that security holes left the devices open to attack (hackers could, for example, alter a patient’s heartbeat). Security holes like this could lead to attacks on critical infrastructure, such as power stations and water treatment plants.
Why IoT devices are so vulnerable
“IoT is now found in numerous networks including industrial control systems, building management systems, hospitals, traffic management, urban infrastructure, power systems and telecoms infrastructure. And there are serious issues that will be exploited if not addressed,” writes Paul Lipman, CEO of BullGuard. His company’s research estimates that, to date, some 378 million IoT devices are vulnerable to hacking.
So why are these devices so vulnerable? In part, it’s because of simple mistakes — like not changing the device’s default login credentials after you set it up. The Cisco video, for example, explains how the hacker found the thermostat’s password in 30 seconds on the manufacturer’s website. Always change the default username and password, use a different password for each IoT device, and stay up-to-date with the latest firmware.
While you may consider encrypting highly sensitive data on your network, you probably haven’t considered encryption for your coffee machine (and, in fact, many IoT devices don’t support encryption anyway).
Most IoT devices have poor or non-existent security because it’s time-consuming and costly for manufacturers to bake security into these devices. In time, this could change, as the industry looks at embedded cryptography for IoT.
What you must do
In the meantime, do your research. Consider whether you need a ‘smart’ device over a ‘dumb’ device. If so, research the devices and manufacturers, consider spending more on devices that offer better security, and avoid buying devices with backdoors (which are just another access point for hackers).
If you already have IoT devices on your network, there are IoT device scanners available that will scan Shodan (an IoT search engine) for current vulnerabilities. Perhaps most importantly, segment your network so IoT devices are separated from sensitive data.
The IoT offers an entirely new (and easy) way for cybercriminals to hack into your network. Without a strong regulatory environment in place, it’s up to you to make sure smart devices are adding benefits — not malware — to your corporate environment.