Reprinted with permission from AlterNet.
Is the Internet of Things the next big productivity leap in modern times? Or is it, as it was commonly referred to at DEFCON 25, the Internet of Sh*t?
William Sabin, who describes himself as an “avid trader,” is effusive in his enthusiasm for these new technological developments. In an article evaluating the prospects of General Electric he writes, “The Internet of Things is the most exciting play and why I like GE as much as I do—connecting people, data and machines.” But the security-conscious crowd at DEFCON 25 are not fans.
The buzz word for these devices is “smart,” but what exactly is the Internet of Things? Joe Rozner, a software engineer and featured speaker at DEFCON 25, defines the Internet of Things (IoT) as “everyday devices that are connected to the internet to add functionality.”
The term was coined in 1999 by Kevin Ashton, a British technology pioneer at MIT. But it was presciently forecast by inventor and futurist Nikola Tesla in 1926, “When wireless is perfectly applied the whole earth will be converted into a huge brain … and the instruments through which we shall be able to do this will be amazingly simple … A man will be able to carry one in his vest pocket.”
The first smart device—a toaster that could be turned on and off over the internet—was developed for an earlier tech convention in 1990. Why you need to turn your toaster on and off over the internet is unclear, but in 2017 the list of these programmable objects has expanded exponentially. “Every single device that’s being put in your home probably has a computer in it now,” says Christopher Grayson, a security expert and red-team hacker currently working for Snapchat. He lists water bottles, locks and even a WiFi slow cooker as just a few of the items that are being networked.
The Internet of Sh*t Twitter feed rolls out information about these devices, tweeting horror stories about a woman stranded in the country in a smart rental car that won’t start without a network. The Twitter account relays a constant stream of weird products—like toilets that glow in the dark—and anecdotes of discomfort, like lightbulbs that have to be reprogrammed before they will turn off and let you go to bed. More dangerously, there is a phone that keeps rebooting when someone is trying to call the fire department.
Grayson says one issue is that many of these companies are small startups trying to move quickly and they don’t want to slow down to install more robust security. “The ones that come from big vendors, like Google and Amazon, they are definitely going through security audits, but the vast majority of these devices are just crappy little computers put together by some boot-strap start-up—[and] they haven’t actually gotten any of it audited. So generally speaking the security posture of these devices is horrid.”
This turns out to be a problem.
Internal and External Intrusions
In October of 2016 a company called Dyn received tens of millions of attacks from these everyday devices like routers, security cameras and DVRs. Those attacks disrupted many of the major websites that Dyn supported including Twitter, PayPal, Spotify, Netflix, the New York Times and the Wall Street Journal.
Security researchers speculate that these attacks are merely probing around, ahead of larger attacks, and Grayson agrees. When asked if he is anticipating more of these, he says quickly, “Oh, everybody is!”
Unfortunately, massive organized botnet attacks are not the only problem with IoT devices. Not only are they a potential entry point for unwanted intrusion into your home, they are also extruding private information from your home. Companies are acknowledging that they have plans to monetize the data they are collecting from these smart objects. The Internet of Sh*t site quotes the maker of a fridge saying, “We didn’t make a fridge initially to make a ton of money, but in a year or two, it can make revenue, absolutely.” That’s one reason the trader William Sabin is so bullish on GE.
One of the fascinating contradictions about the IoT business model that the site points out is that these networked objects are not profitable. They ultimately cost too much to maintain, and so the companies who make them are of necessity exploring alternate revenue streams. Your data is a ready-made product to fill this void.
How will they monetize it? In the case of a fridge, for example, they could sell information about what time and how often you shop. Maybe you always make a grocery run on Saturday, ads that you see on Facebook on Friday night might be more effective. There would be companies willing to pay for that information. It may be useful for consumers to have ads that pop up the day before they shop—there are convenient aspects to machines knowing everything about us. But there are downsides as well.
The release by hackers of the private data of tens of millions of Ashley Madison customers in July of 2015 resulted in blackmail, divorces and even suicides. The company specializes in arranging affairs for married individuals, and when the complete database was released online by hackers, “people found they could be identified not only by their names and their addresses but also by their height, their weight, even their erotic preferences.” The Ashley Madison data was not gathered from smart objects, but it is a pointed reminder of the dangerous combination of massive amounts of personal data combined with poor security.
No Good Answers Right Now
That combination in relation to the Internet of Things is something that is worrying a lot of people in the InfoSec sector. Rozner says he is not aware of any legislation that would require companies to implement strong security protocols. Grayson says, “There are a lot of startups around it. There is no good answer to IoT security right now.” He recommends having a completely different network for all of your smart devices. Rozner says that is something that is typically suggested at the corporate level. He says it may be daunting for most users to manage such a complex setup, “but overall it is a good idea.”
Alina Selyukh, NPR’s tech blogger, recommends changing passwords to help with IoT security, and making them strong. Security experts recommend using a string of words or a phrase that has a combination of upper and lower case characters, symbols and numbers. One security website warns that as more people turn to phrases, hackers are focusing on them more, so it’s best that your phrase be random and not one that is commonly used. For passwords to be resistant to the latest hacker technology it is possible they need to be at least 23 characters long. Edward Snowden says that an eight-character password can be cracked in under one second.
18 Routers Hacked
What’s more fun than hacking into things? Hacking into things while winning serious street cred and cash. DEF CON 25’s IoT Village challenged hackers to pit their skills against the security of Small Office/Home Office routers. Eighty-six teams competed to discover the 0-day (undisclosed) vulnerabilities that were required to earn points. Teams were up late into the night, sometimes all night testing their skills against the security provisions that companies had put in place. Ultimately all the routers in the contest fell victim to the hackers. Independent Security Evaluators, the company that organizes the village, claims that the winning team Wolf Pack was able to exploit all 18 routers in play, capturing the “flag” and the $500 prize. Is your router one of the ones they hacked into? You might want to check.
IoT Village says that over the years they have exposed 113 vulnerabilities in connected devices. Melanie Ensign, a volunteer who works with the Con, said that they have informed researchers and device manufacturers about these issues, but clarified that just because a flaw has been exposed does not mean it has been fixed. She said “device manufacturers are notoriously difficult to work with on patching” adding that not every vulnerability can be fixed with a software update. IoT Village does not make these security flaws public for obvious reasons.