Internet of Things (IoT) Security Issues

In the past, I discussed how the Internet of Things (IoT) could eventually cause a wealth of problems on the Internet, including security breaches, in a number of my books and articles. Some of my strongest warnings came in Build Your Own PC on a Budget and Security for Web Developers, but I included warnings in other places as well. Unfortunately, the worst case scenario has occurred according to the ComputerWorld article, Armies of hacked IoT devices launch unprecedented DDoS attacks. Yes, your DVR or smart television might have turned into a zombie at this point and now works for someone else committing crimes. All it takes is a little negligence on your part and your device will take a walk on the dark side.

The article is worthwhile reading because the statistics sound like something out of a bad science fiction novel. If anything, my warnings were too tame and I should have used my imagination a bit more in exploring just how bad things could get. Yet, I’ve received e-mail from readers who found the warnings I did provide barely believable. It didn’t seem possible that something as simple as the router installed to provide broadband support for your digital telephone could possibly cause any sort of problem. After all, your old telephone system never went on the attack. The thing is, any device that connects to the Internet today probably has enough intelligence to do harm, especially the IoT devices that everyone assumes just work.

IoT devices are actually some of the best targets for hackers. The users who have them barely know how they work, have no clue that they should change the password, and wouldn’t care even if they could figure it out. After all, the goal is to see Sunday afternoon football, not to configure security for a device. Vendors share in the blame because anyone with even a modicum of common sense would know that users have no desire whatsoever to change device passwords. IoT devices should go out with a unique password printed in a place that the user can easily find on the device, should it ever become necessary to access the device (and it might not ever become necessary). If hackers faced a unique default password for every device, the IoT devices would likely remain relatively secure unless hackers could somehow figure a pattern out in the password assignments. Ensuring the unique password is printed on the device means the user won’t lose it.

It’s not as if changing IoT device passwords is easy anyway, so hackers have every reason to believe that the default password is still in place for the majority of these devices. A recent device purchase pointed out to me that some IoT devices view even password changes as unwelcome user fiddling—it took nearly 20 minutes of reading to discover how to change the password using an arcane set of remote control clicks. Until this situation changes, you must expect that hackers will continue to use IoT devices to perform various kinds of attacks and that device owners will continue to remain oblivious about their cherished device’s life of crime. Let me know your thoughts on IoT security at John@JohnMuellerBooks.com.

 

A Fuller Understanding of the Internet of Things

You can find the Internet of Things (IoT) discussed just about everywhere today because the Internet has become pervasive. IoT is part of most business applications today as discussed in Security for Web Developers and part of any PC you build as discussed in Build Your Own PC on a Budget. It appears as part of smart TVs and Blue-ray players. In fact, you find IoT employed in a lot of places you might not have thought possible even a year ago. The point is that IoT is here to stay and we need to consider some of the ramifications of it on every day life.

One of the issues that hasn’t surprised me too much is the issue of security. Both my smart TV and smart Blue-ray player require me to enter a password to access the Internet through my wireless router (mostly because the router is configured to require one). So these devices do employ security to some extent. However, they remain logged on at all times, so the router is also configured to disconnect devices after a certain time. Each time I turn the devices on, I must reenter the password. It’s a level of security, but not necessarily the best security. Some devices, such as Apple Watch, lack any form of security. (In the case of Apple Watch, the device authenticates through an iPhone, so it still has some level of security, but not security that is part of the device itself.) Some industry pundits are saying that these devices will eventually kill the password, which means that some other form of primary authentication is needed.

The problem is increased by the proliferation of headless devices (products that lack any sort of display, such as a door lock, security system, or robots). In these cases, you can’t enter a password. No one is really sure how to secure these devices, but a solution really is needed and soon. Unless we find a solution, the issues surrounding intentional hacking will increase. A recent InfoWorld article, Welcome to the smart home … of horror!, emphasizes some of the sorts of things that could happen due to a lack of security.

Security and configuration problems aren’t just limited to outsiders gaining access to your home, office, business, or other location due to holes in IoT security. It also turns out that smart devices aren’t particularly smart, so sometimes you lose access to your network and its connected devices due to a combination of security and configuration issues when a failure occurs. In the ComputerWorld article, The Internet of Things: Your worst nightmare, you can hear about one person’s attempt to recover from a simple router failure. It turns out that simply replacing the router wasn’t enough—everything connected to the router needed reconfiguration and sometimes the task was less than easy to perform.

The world is in a age of transformation. The ride will be bumpy and the problems severe. When you consider the immensity of the things that are changing, the future looks incredibly different from anything that has gone on in the past. Not only is there IoT to consider, but the whole issue of robots and other technologies that are coming to fore. As these new technologies become part of everyday life, we have to ensure we can use them safely and that ability of someone to hurt us through them is curtailed. Let me know your thoughts about IoT security and configuration at John@JohnMuellerBooks.com.

 

Discerning Where the Internet of Things (IoT) Really Fits

A number of people have written to ask me about the Internet of Things (IoT) and where it really fits into the technology picture. The current problem with this technology is that it’s so new that people really don’t know where it fits. As with most new technologies, you can find all sorts of uses that simply don’t fit. These uses will eventually die because there isn’t any pressing need to have them. I write about these sorts of uses in the article, What The Internet of Things Is Not. Of course, it’s possible to avoid this particular phase of a technology by asking a simple question, “Is there a pressing need that this solution answers?” Where there is no need, there is also no solution required.

The question I addressed in, What is the Internet of Things? remains. The technology elements are there to create some phenomenal solutions to pressing problems. That’s why I was interested to see a recent ComputerWorld article that describes industrial uses for IoT. No, it’s not as sexy as using IoT to monitor your microwave popcorn so it gets done, but not too done. However, these are the sorts of applications that keep a technology around and also help improve it. The industrial setting will present legitimate questions for IoT to answer. Interestingly enough, you’ll likely benefit from these sorts of industrial uses by not seeing them. That’s right! By making industrial processes more reliable and predictable, they begin to disappear from view. All you really see is the cost savings when it comes to buying products and services.

The IoT is here to stay, that much is certain. However, every year will see major changes to IoT until the technology becomes more stable. At that point, the true killer applications for the technology will begin to appear and everyone will begin seeing the true potential for this technology. For now, what you see is interesting applications—some will survive, many won’t. Let me know your thoughts about IoT at John@JohnMuellerBooks.com.

 

Our Borders are Porous

No, I’m not talking physical borders here—I’m talking cyber borders. I’ve talked a number of times about the relative insecurity of Supervisory Control and Data Acquisition (SCADA) systems. My biggest personal concern is how leaks in these systems can affect people with special needs. At a minimum, implanted devices used by people today are open to hacking. However, there are some reports that say that hackers could eventually become murderers. I wrote Accessibility for Everybody: Understanding the Section 508 Accessibility Requirements with the idea that implanted devices and other aids should help people, not hurt them.

However, other sorts of devices are leaky. Just about any hacker could attack our water supply, power grid, or any other utility. A hacker could turn off your car engine by remote control, lock you into the car, and then do whatever nefarious deed seemed pleasant at the time. These posts aren’t meant to scare you as much as to inform you that the borders of your devices are wide open to attack in many cases. Yet, despite a huge number of newspaper articles, radio talk shows, government inquiries, and odd assorted other do nothing activities, surprisingly little has been done to secure anything.

It probably won’t surprise you to know that the latest casualty, in a long list of problematic devices, is the gas pump. Yep, your gas pump can turn against you. I hadn’t really thought about a gas pump as being anything particularly worthwhile to hack. Yes, you could possibly turn on the pump and get free gas or deny someone else their gas, but it really didn’t strike me as something that hackers would invest time in learning about. Actually, it turns out that gas pumps are connected to all sorts of monitors and messing with the pump can cause those monitors to go off. It doesn’t seem like alarms are anything to worry about either, but think about someone intent on disrupting the emergency services network in a city so that they can attack in some other way. While everyone is distracted with the gas pump spills that haven’t actually happened, someone could do something that would cause the city to go into overload because emergency services are already overwhelmed.

The thing that gets me about a lot of these deficiencies is that they aren’t caused by systems that are secured, but someone has manged to get into anyway. They’re caused by systems that have no security at all. That’s right—someone connected those gas pumps to the Internet so they could monitor them remotely and didn’t add any security at all. Someone who knows the right information can just walk right in and cause all sorts of mischief.

From direct attacks on our infrastructure, to feints used for distraction, to personal attacks, SCADA systems will let us down at some point. I’m surprised that we haven’t had a major issue so far. Perhaps someone is out there right now planning just the right sort of attack that’s designed to cause a maximum of damage. Until we make security a priority, these open systems will continue to pose a serious risk to everyone, whether you have special needs or not. Let me know your thoughts about insecure SCADA systems at John@JohnMuellerBooks.com.

 

Death by Connected Device

The title for this post is dramatic on purpose. In my book, Accessibility for Everybody: Understanding the Section 508 Accessibility Requirements, I describe all sorts of useful technologies for making the lives of those with special needs better. In fact, this particular book has received so much attention that I’ve expanded its coverage significantly by devoting forty (and counting) posts to it. The fact is that implanted devices will continue to be a part of our lives and their use will only increase, which is why articles, such as Cyber crime: First online murder will happen by end of year, warns US firm, have me more than a little concerned. The fact is that we’re all in line for a major wake-up call at some point if something isn’t done to secure the Supervisory Control and Data Acquisition (SCADA) systems we all rely on to connect devices to the Internet today. The hardware, software, and other functionality required to make everything happen is encapsulated in a technology known as the Internet of Things (IoT). Soon, everyone will know about IoT, but few people will know or understand the underlying SCADA systems that goes with it.

The part of the articles that I’ve read so far that intrigues me most is that politicians and others in the know have been disconnecting themselves from the Internet. Note the mention of Dick Chaney disconnecting himself from the wireless part of his implanted device in the aforementioned article. If the devices and their connections were secured, our former vice president wouldn’t be quite so worried. Unfortunately, the rest of us probably won’t be quite so lucky unless we refuse to have the devices implanted at all (which would seem to be a self-defeating stance to take). I’ve actually been discussing this issue for quite some time now. The latest significant treatment of the topic appears in my An Update On Special Needs Device Hacking post. I’ve also broached the topic in Determining When Technology Hurts. The point is that this issue isn’t new, but we certainly haven’t done anything about it.

Will it actually require a slew of front page news stories depicting people assassinated through their implanted devices for someone to get the idea that there are really awful people out there who would like to kill someone (anyone) with impunity? It seems to be the case. So, now we’re seeing stories about the event actually taking place sometime soon. Even if we don’t see someone killed, I can see a situation where people have money extorted from them by hackers who have gained illegal access to their implanted devices.

I’m all for the advancement of technology that has significant potential to help people. I’ve written more than a few posts on the topic. Helping people to walk, see, hear, touch, and have generally better lives is a great idea in my book. However, the time is long past for securing these devices in a meaningful way so that only those who really need access will actually get it. Just why there hasn’t been any legislation regarding this need is beyond me. Our politicians are obviously aware of the problem and have done the work required to protect themselves, but they don’t see to be in much of a hurry to protect their constituents.

Given what I’ve seen in the past, I’m sure the medical community won’t be in any hurry to secure these devices because security has been a legislated requirement in the past. With this in mind, what do you feel needs to happen with these devices to make them a better deal for those who need them? Let me know your thoughts about the lack of security for implanted devices and devices connected to IoT in general at John@JohnMuellerBooks.com.