Your phone, fitness tracker and home thermostat all will soon have something in common.
As time goes on, more of these devices are upgraded for internet connectivity. While they can offer a world of convenience at our fingertips, experts say consumers are in for a world of hurt if they don’t take steps to thwart a hacker’s attempts to steal data or gain control.
Just two months ago, hackers harnessed internet-connected devices, such as video cameras and digital video recorders, in an attack on a key part of the internet’s infrastructure. The attack caused internet outages and congestion across a wide swath of the country, according to the tech blog Krebs on Security.
Experts fear internet-connected toasters, refrigerators and thermometers — collectively called the Internet of Things — can be conscripted into a virtual army by hackers if companies continue to create products with weak or no security protections.
It’s often impossible to know if your devices are insecure. In mid-December, a researcher posted about a vulnerability in several models of Netgear-branded routers could allow hackers to take control.
The U.S. CERT Coordination Center at Carnegie Mellon University rated the flaw as critical. Netgear began rolling out beta patch updates for the device Tuesday.
BILLIONS OF DEVICES
There are so many IoT devices they will soon rival the number of humans on planet Earth. Information technology research firm Gartner estimates 6.4 billion internet-connected things exist today, which could more than triple to nearly 20.8 billion devices by the year 2020.
These gadgets can exist on the spectrum of fun to absurd. One device allows users to play with their pets via an internet connected camera and a smartphone-controlled laser. Exercise trackers log our steps and our sleep. If you ever felt the need for a Wi-Fi-connected tray that tells you how many eggs you have in the fridge, that exists, too.
With connected devices, our world can be in the palm of our hands. Check temperatures from a smart oral and rectal thermometer from your phone. At the store and not sure if you have enough cheese? This smart refrigerator by Samsung now takes a picture of the contents every time the door is closed. Online retailer Amazon has offered small, Wi-Fi connected devices that order various products with the press of a button — these are part of the Internet of Things, too.
Some products are really helpful, said Ashish Gupta, chief marketing officer for Infoblox, a Santa Clara, California, technology firm that acquired Tacoma’s IID earlier this year.
“We drive up to Tahoe, which is about four hours away, and our house is freezing cold in the winter,” Gupta said. Enter the IoT thermostat, which his wife turns on with her smartphone two hours before they arrive. “When we get there, the house is nice and warm.”
But novelty and convenience can come at a cost. Device security is not keeping pace with innovation, the Department of Homeland Security wrote in a paper released last month.
“Because our nation is now dependent on properly functioning networks to drive so many life-sustaining activities, IoT security is now a matter of homeland security,” the agency wrote.
Devices, harnessed by hackers, were able to shut down the central heating and water systems last month at two apartment buildings in Finland. Last year, researchers found nine types of internet-connected baby monitors were vulnerable. They were able to view live video feeds, change camera settings and copy video clips stored online.
“When you’re dealing with things that stream data, whether it’s video or audio, to the internet, you have to look at your comfort level of who you are and what do you do,” said Deral Heiland, research lead at Rapid7, a company that in part seeks security vulnerabilities and reports them to product creators.
Jason Hong, an associate professor of computer science at Carnegie Mellon University in Pittsburgh, said beefing up security costs money, and companies want to maximize profits.
“A lot of people are rushing to market quickly,” Hong said. “It’s easy to see this product has a beautiful form factor and user interface. It’s hard to see if it’s got security built in.”
Users can take a few simple measures to minimize their risks, Hong and others said:
▪ Change the device or service’s default passwords. Manufacturers often ship products to consumers with what’s called a “factory default setting” with the same password. Changing the password makes it harder for hackers to access.
▪ Search online for the product name to see if any security flaws have been found.
▪ Unplug devices when they are not being used.
▪ Install all software updates for your device. Operating software can be a weak spot in device security.
▪ Consider why you need an internet-connected device in the first place.
Companies with decades of experience in other spaces are starting to enter the web-connected device market.
“Automobile companies are starting to realize they are also software companies,” Hong said. “Some of them don’t realize that — and that’s where the danger is.”
Tacoma partnership aims to thwart large cyberattacks
Infoblox and University of Washington Tacoma are researching ways to prevent the Internet of Things from interrupting services that affect the government, economy and day-to-day activities. Think traffic lights, power grids and the internet itself.
Using a type of artificial intelligence called machine learning, the partnership will help thwart IoT attacks.
“The IoT threat is not the future. It is here today,” said Ashish Gupta, chief marketing officer for Infoblox.
Devices made cheaply with weak encryption can allow hackers to take control and use them to shut down parts of the internet, called a distributed denial of service attack.
In short, the partnership’s algorithms are looking for the abnormal traffic.
“We’re looking for weird things, weird patterns,” said Anderson Nascimento, a UWT assistant professor. Based on that analysis, the program could eventually be able to isolate the compromised device and quarantine it.
“We see these abnormal behaviors in these devices and we shut them down in an automated manner.” Gupta said.