Kevin Curran

Kevin Curran is a Professor of Cyber Security, Executive Co-Director of the Legal innovation Centre and group leader of the Ambient Intelligence & Virtual Worlds Research Group at Ulster University. He is a regular technology contributor to TV, radio, trade and consumer IT magazines.

It seems that just about anything that can be connected to the Internet in our homes is being connected. Examples include smart doorbells, connected fridges, washing machines, kettles, lights, heating, clocks and toasters.  The Internet of Things (IoT) is a concept where everyday devices – home appliances, sensors, monitoring devices – can be accessed through the Internet using well known technologies such as URLs and HTTP(S) requests.

The Internet of Things (IoT) will offer the ability for consumers to interact with nearly every appliance and device they own. For example, your fridge might let you know when you are running low on milk and your dishwasher will inform you when it is ready to be emptied. It is possible that homeowners will be getting more text messages from their devices than fellow human beings in the days ahead.

Adequately securing these consumer devices is proving to be not as easy. Compromised IoT devices have been responsible for large scale botnets. One of the largest known denial of service attacks was conducted against the security researcher Brian Krebs via compromised webcams. His site was brought to its knees and his hosting provider had to ‘cut him loose’ to protect their other clients. The Internet was unfortunately not built from the ground up with security in mind so aspects of the infrastructure such as DNS’s insecurities are a weakness.

A basic rule of thumb in security is that the more devices you have exposed to the internet, then the more exposure you for your network to become compromised. You simply have a larger online footprint. It also means that you are more likely to have neglected devices which are not updated and hence more vulnerable. The sheer scale of deployment of these limited-function embedded IoT devices in households can lead to unique attacks. There is also the worry of the domino effect where if one device becomes ‘owned’ – it can easily spread to the remainder of the cluster.

Remote Access Vulnerabilities

Take for example, webcams which function as home security devices. Recently, a new tool was released by a security researcher dubbed Kamerka which combines data of Internet connected camera with location data to create a map that shows devices in specific buildings or streets.  The tool freely released online pulls in camera data plus actual location of the devices from the IoT search engine Shodan.

Shodan ( https://www.shodan.io/ ) crawls the Internet looking for devices, many of which are programmed to answer. It does this by ‘crafting’ messages which probe the Internet to see which devices “answer” and then it can deem what they are by their replies. Shodan is not as accessible as say a typical search engine but anyone with some knowledge of IT can easily learn how to search for exploitable connected devices using various key words. Shodan has found remote connected devices answering such as alarms, plant sensors, baby monitors, cars, foetal heart monitors, building heating control systems, water treatment facilities, power plant controls, plant sensors, traffic lights and glucose meters.  For example, a Shodan search for a type of baby monitor known to have weak security shows that more than 65,000 people are using the same device and are more than likely also vulnerable to compromise. Shodan can be used to peer into people’s bedrooms and workplaces and is a dream for voyeurs.

There is also a worry about hackers controlling home appliances in different scenarios such as having fun with Web connected fish tanks feeder settings or disabling microwaves and home alarms. Ultimately every device connected to the Web should be password protected. It should not continue to use the default password.  A long complex password needs to be set. All devices should be updated as soon as updates are released, just like we recommend on PCs and mobile devices.  All devices which do not need to be connected to over the Internet should be disconnected. That seems obvious but many people enable remote connectivity “out of the box” when they have no intention of connecting to the device when away from home.

Privacy

A modern concern about privacy revolves around home assistants. Home assistant microphones are always o. They do not do anything with our voice until we say the “wake word,” which is usually just ‘OK Google’ or ‘Alexa’ in the case of the leading home assistants.  After we speak the wake word, Alexa or Google Assistants do start recording, and then send those clips away to the cloud. They do stay on the server until we delete them. Amazon and Google allow us to see what requests they have logged. In your Alexa app, go to Settings > History to see your recordings and for Google Assistant, go to myactivity.google.com.  There is also a mute button of course.

There have been cases where accidental eavesdropping has occurred. Recently, Amazon acknowledged that some of its Alexa-enabled devices developed a new skill which was creeping out their owners with unexpected and unwarranted bursts of robotic laughter. The company suggested that the laughs had occurred “in rare circumstances” because the speaker was picking up a “false positive” for the command “Alexa, laugh”.

Amazon did however file a patent which examined the possibility of eavesdropping on conversations held around its voice-activated devices in order to better suggest products or services to users. That patent states: “If the user mentions how much the user would like to go to a restaurant while on the phone, a recommendation might be sent while the user is still engaged in the conversation that enables the user to make a reservation at the restaurant.” Here however the company also said that the patent was a proposal for the future, rather than a feature it is preparing to roll out. “Like many companies, we file a number of forward-looking patent applications that explore the full possibilities of new technology. Patents take multiple years to receive and do not necessarily reflect current developments to products and services.”

The utmost care needs to be taken when deploying Internet connected home appliances as these devices are often of a limited memory size & processing capability and traditional ‘heavy’ cryptography is difficult to deploy. Every component matters with regards price margin and the more powerful the sensors & “processer” that are inside the device – the more expensive they cost therefore security is always a luxury for many home appliance manufacturers, so the end consumer inevitably loses.

The Solution

There are several industrywide initiatives for IoT security.  It is not easy as regulating IoT devices means devising a rule that would be broad enough to cross many sectors and cover all these products. The security expert Bruce Schneier intelligently said that a good starting place would be “minimum security standards, interoperability standards, the ability to issue a software update or patch after a product has hit the market, and even placing code in escrow so that problems can still be managed in case a company goes out of business”.  

IoT Manufacturers should release security updates once vulnerabilities are found but the incentive is simply not there for them to do it most of the time. There are some positive moves of late to hold IoT Manufacturers more accountable with regards roadmaps for updates for any devices they sell. Even something which seems innocent such as an IoT connected coffee maker could be hacked and allow attackers to know our pattern of use and from that, they can make predictions as to when we are at home or not. This is very useful indeed to burglars.

California is one of the first places however to enforce strict rules for IoT device manufacturers with regards weak passwords and providing security updates so that is a good start. Pressure needs to be placed on IoT manufacturers to implement best practice in securing these devices before they leave the factory. The general public will be unaware of the need to update their lightbulbs so we in the security industry must force the manufacturers to not make it so easy for the hackers to exploit them. We are now all at risk from IoT devices which were thought to be too dumb to cause harm. Quite simply, unpatched, poorly deployed dumb devices have the power to bring the Internet to its knees.

Google have also created an Android Things operating system which includes automatic security updates for developers that chose to use it in their products. Similarly, MIT academics have created a chip that allows IoT devices to be more easily encrypted. The UK government, through its National Cyber Security Centre, published a series of guidelines for IoT security. These state default passwords should never be used, companies should disclose vulnerabilities when they are found and be willing to work with researchers, update software and protect customer data. It is hard to argue with this.