Smart devices you use every day, such as Internet-connected televisions, cars, refrigerators, thermostats and bathroom scales, could increase your risk of becoming a victim of cybercrime. Sounds scary, but it's not surprising to many information-security experts.
"There are so many developers developing smart devices," said Neill Feather, president of SiteLock, a Web-security provider in Scottsdale, Arizona. "We're seeing people and organizations who don't normally write software that are doing that now."
All these devices collect information about you, your home network, where you live and what you buy. They upload that data to company servers, from where the data can be resold, stolen or spied upon. That security camera in your living room is always on. Who besides you might be watching the feed? That high-tech talking toy knows your kid’s name, birthdate and address. What’s to stop an identity thief from using that information?
Fortunately, there are some basic steps you can take to reduce your chances of becoming a victim.
Security? What's security?
The problem lies with the code written to run Internet of Things (IoT) devices. It's not only that security is often an afterthought; it is often not even considered at all. IoT is all about functionality, connectivity and convenience, and adding a layer of security to smart devices would limit those features.
"Durable-goods manufacturers now offer smart machines — think smart refrigerators — and companies have had to hire developers quickly to keep up with competitors," said Feather, who is also a board member of the nonprofit Online Trust Alliance. "The security-code practices and measures employed simply aren't the strongest."
But don’t take just our word for it. The FBI has said the same things. It released a public service announcement last fall, warning consumers and businesses of the security risks of smart devices.
"Deficient security capabilities and difficulties for patching vulnerabilities in these devices, as well as a lack of consumer security awareness, provide cyber actors with opportunities to exploit these devices," the PSA said. "Criminals can use these opportunities to remotely facilitate attacks on other systems, send malicious and spam emails, steal personal information, or interfere with physical safety."
Vulnerabilities common among IoT devices include unprotected USB ports, lack of digitally signed software updates and unencrypted storage of passwords for users' home Wi-Fi networks. Many devices come with default administrative passwords, but without warnings that users need to change those passwords. Other devices have hard-coded administrative passwords that can't be changed.
Here's a car. You provide the seat belts
Designers of IoT devices expect that their devices will be protected behind the customer's Wi-Fi network firewall once installed, said Greg Enriquez, CEO of enterprise-security provider TrapX in San Mateo, California.
This assumption forces the user, not the manufacturer, to be the one in charge of ensuring a proper level of network security. In other words, there is an expectation that IoT users have the knowledge and competence to set up firewalls and device encryption. But the reality is that most people don't have those skill sets.
"Hackers continuously look for ways into networks," Feather said. "IoT devices are one way in."
Adding insult to injury, standard antivirus protection and other cyberdefense software doesn't work with IoT devices. You can't simply install third-party security software on the devices. Because most IoT devices are very task-specific, most don't have any more memory or disk space than absolutely necessary, creating technical limitations and leaving little or no disk storage for security tools.
Jackpot of personal data
Once cybercriminals gain access to any device, they look for as much data as they can find — and IoT devices provide a treasure trove. Most users may not realize it, but unsecured smart devices transmit a ton of personal information. Take fitness trackers that automatically sync to an app through a Bluetooth connection.
"This [Bluetooth syncing] makes it seamless for the person tracking their health," Feather said, "but they also may be broadcasting their data to everyone else around, without a way to turn it off and still keep the main functionality."
Unlike traditional cyberattacks, attacks upon IoT devices are not limited to extracting information. These attacks can cause physical harm, and state-sponsored cyber-attackers can exploit these devices to wreak havoc.
"Global connectivity between all devices creates significant security concerns. Recent reports of hackers being able to remotely control cars illustrate the immense risks posed by IoT," wrote Torsten George, vice president of global marketing for RiskSense, in arecent commentary in SecurityWeek magazine. "This raises questions regarding current security-risk-management practices and illustrates the challenges that are being created by IoT's all-in-one connectivity."
Not as bad as it seems?
Yet not every expert is sure the FBI should have warned about the link between IoT devices and potential cybercrime. Ron Schlecht, managing partner with BTB Security in Bala Cynwyd, Pennsylvania, said he doesn't think IoT devices are any worse than other devices or technologies that have been around for decades.
"While IoT gives folks a platform to tinker with something that's connected and has different capabilities, it's, again, all in how it's used," Schlecht said. "A small percentage will use the knowledge for bad, but it's not a gateway."
How to protect yourself
To protect themselves, users may want to treat these smart devices as "hostile" devices on their networks.
"Most home user routers have the capability to create a guest network," Schlecht said. "Do it, and add these devices to that wireless instead of the regular wireless [that] the rest of your computers are on."
"If you can set a password, try to pick a good one," Schlecht added. "Think about the type of information the device may have about you. Minimize that information, and make sure if you get rid of the device, it is reset to factory settings."
The biggest points to make about IoT security are that a lot of the data the devices handle can be personal and private, and that most users of IoT devices aren't aware of how much of that data they are actually sharing.
IoT designers are doing little on their ends to protect these devices, so it becomes the responsibility of the users to take security into their own hands. Hopefully, it won't take too long for the IoT community to figure out how to make smart devices more secure without reducing any of their advantages.