IDC estimates the installed base of connected devices will reach 212 billion by the end of 2020. This Internet of Things will encompass all manner of solutions: public transit, health, homes, machinery, cars, home security, kettles. Every part of life will be connected.
Connected devices will gather data with a view to improving convenience and efficiency, but some will be highly personal data, so how secure will your information be?
It’s not so secure, at least, not yet. Hewlett-Packard’s Fortify division recently tested a selection of IoT solutions from across popular connected categories including: TVs, webcams, thermostats, power outlets, door locks and home control hubs.
Each solution communicated with some type of cloud service as well as mobile apps. The tests identified a total of 250 vulnerabilities in these existing popular IoT devices, suggesting this new industry must become more secure. (The complete PDF report is available here.)
“Six out of 10 devices that provide user interfaces were vulnerable to a range of issues such as persistent cross-site scripting vulnerabilities and weak credentials,” the researchers said. They found 90% of devices collected personal information and 60% had insecure user interfaces.
The research revealed:
· 76% of devices used unencrypted network services, leaving devices vulnerable to man-in-the-middle attacks.
· 80% failed to use of strong passwords. Some used simple default passcodes 1234 or 123456 to protect both the device and to control it via cloud or mobile applications.
· 60% failed to protect firmware downloads with transport encryption or file protection, making it possible for hackers to tamper with device firmware payloads.
“An attacker can use vulnerabilities such as weak passwords, insecure password recovery mechanisms, poorly protected credentials, etc. to gain access to a device,” the researchers said.
But why is this important when you’re talking about a kettle? Each connected solution will speak with other devices in the area, will share information with cloud services, and share this data with other services.
Each one will sit on the network, sending and receiving and being a peer player within this ocean of moving data. A vulnerable solution inside this chain becomes a viable attack vector for criminal activity.
Security researchers at the 2014 Black Hat conference proved they could hack into a Nest thermostat in just 15-seconds simply by gaining uninterrupted access to the device, replacing its Linux-based firmware with malicious code that could capture network traffic. One of the researchers, Daniel Buentello, has previously warned us that connected appliances can be used against us in his presentation, “Weaponizing your coffee pot”, in which he hacked into a wi-fi enabled light switch.
Confirming the HP report, Black Hat 2014 attendees learned: “Most of the current Internet of Things and wearable devices suffer from similar issues, lacking proper hardware protection to avoid similar attacks.”
In another presentation at Black Hat, security consultant Jesus Molina discussed flaws found in a hotel's building automation system that enabled him to control almost every appliance in the property.
This interest in exploiting IoT vulnerabilities is already moving from the academic to the status of actual threat: a significant number of attacks against home routers and other connected systems, including DVRs, have already been reported this year.
“As the number of connected IoT devices constantly increases, security concerns are also exponentially multiplied. A couple of security concerns on a single device such as a mobile phone can quickly turn to 50 or 60 concerns when considering multiple IoT devices in an interconnected home or business,” said HP Fortify.
These security concerns are amplified when you add wearable technologies such as connected health and fitness devices to the mix. Subverting such data without permission isn’t just an invasion of privacy, but could also be incredibly lucrative. As businesses collect even more personal data from cars, homes and other connected systems, the extent and value of the information gathered for big data analysis becomes immense.
Once again, these systems are already under attack: thieves accessed the point of sales systems of a massive US retailer and stole customer credit card details last year by breaking into the retailer’s network through an air conditioning contractor’s insecure connected HVAC system. Qualys claims most of about 55,000 HVAC systems connected to the Internet over the past two years have flaws that can be easily exploited by hackers.
With such a huge market to play in, what must IoT solutions providers do?
One step may be to accept risk exists and implement systems for reporting and patching against vulnerabilities as they are found. Risk Based Security researcher, Carsten Eiram, warns that many vendors lack such systems.
HP Fortify suggests vendors should test their existing solutions against the Open Web Application Security Project (OWASP) list of the top 10 security problems these connected devices currently face.
There are implications for end users, too. If you enable these devices in your home you need to figure out how to protect your network and how to use whatever security protection exists on each device. Cisco’s chief security officer, John Stewart warns that as the number of available connected devices increases, “even the most well funded security teams are struggling to keep on top of what is happening.”
One certainty is that there’s money to be derived from using these connected devices as attack vectors. And given the increasing sophistication of the cybercriminal community, any failure to secure the Internet of Things could have enormous consequences across every manifestation of the connected planet, conceivably threatening the global economy.
Jon Evans is highly experienced technology journalist and editor. He has been writing for a living since 1994. These days you might read his daily regular Computerworld AppleHolic and opinion columns. Jon is also technology editor for men’s interest magazine, Calibre Quarterly, and news editor for MacFormat magazine, which is the biggest UK Mac title. He's really interested in the impact of technology on the creative spark at the heart of the human experience. In 2010 he won an American Society of Business Publication Editors (Azbee) Award for his work at Computerworld.