So what is the Internet of Things?
Where have you been living for the last five years? The internet of things is a term used to describe the growing array of items, including obvious ones like to computers, tablets and smart phones, that connect to the internet. A consumer IoT device is any product or device for personal use that can connect to the internet. Common examples are speakers, security cameras, sockets and thermostats as well as household objects like fridges, bins, and interior fragrance dispensers.
Why on earth would you want to connect your bin to the internet?
The connected device allows the user to control its functions from an app on their phone or computer. This enables a user to remotely access and control a device in their home from anywhere they have an internet connection. You can turn the lights on and off in your home while you are on holiday, or you could see and speak to someone at your front door even when you’re not at home. Your smart bin can open and close without you touching it using movement sensors, as well as monitoring the levels and contents of the rubbish bin to help co-ordinate sorting and collection.
What else is the Internet of Things used for?
Smart environments include commercial buildings, factories and cities and they use connected systems such as heating, air conditioning and security as well as sensors and microchips in automated machines as well as public spaces. These embedded connected systems generate, collect and analyse data to sense and monitor the environment and improve the effectiveness of services. Examples are public transport, street lighting, traffic flow and rubbish collection (as mentioned earlier).
Connected machines in critical care medical settings generate real time diagnostic and monitoring data that help staff reach faster clinical decisions and provide rapid integrated care across a hospital system.
Implantable or wearable medical devices such as an active smart stents, automated insulin delivery systems, smart inhalers, and pendants that can detect a fall are increasingly being used to more accurately monitor and care for patients without them needing to come into a medical setting.
Industrial control systems that involve complex connected systems are used widely in the industrial and power sectors such as energy (nuclear, electric and gas) and water.
Why are connected devices called smart?
The idea is that they contain some ‘intelligence’ which allows you, via an app and a cloud service to interact with it. For many smart devices, this ‘intelligence’ is located in it’s hub ( a plug like device that fits into the wall and holds the processing part of the smart device) It’s been pointed out by security experts that many smart devices are in fact very dumb because they have next to no security.
How secure are all these device that are connected to the internet?
Because many IoT devices have limited processing power due to constraints such as battery life, security can be poor. When a device is communicating with a cloud service (the internet) best security practice would dictate that the data from that device is encrypted or scrambled into code. IoT devices with poor security communicate with the internet with the data unencrypted, this means that a malicious person on the internet could come across your smart device and access it. In this way, someone might see into your house through your security camera or they could use the insecure device as a ‘way in’ to hack into your network and access bigger prizes. You can imagine the chaos if something as serious as an intensive care unit in a hospital or a national power grid was hacked.
New legislation expected to come into UK law in the next few years will bring some much needed improvement to consumer IoT device security. At the top of the list is an end to universal default passwords.
Surely everyone hates passwords, do we really need more to remember?
Funny you should say that, security experts are indeed predicting that passwords could soon be a thing of the past.
What are the alternatives to passwords?
There are methods that authenticate the user with the device via the app and the cloud service which do not require a password. Instead, manufacturers use QR codes on the device which can be scanned by your phone. This is only necessary to do when you first access the device, and it will link that device to the app on your phone.
What are the other IoT security measures coming into law?
The other top security requirements are that manufacturers must specify for how long their device will receive software updates, they must also implement a means to manage reports of vulnerabilities.
What are vulnerabilities?
All the connected imbedded systems in IoT devices operate by using numerous lines of computer code which we call software. All complicated software like this will contain some mistakes and at some point in the device’s lifetime, these mistakes may be discovered. The mistakes can often be used by hackers as openings to break into the device. The manufacturer needs a way to change the code one everyone’s device to correct the mistake and stop the vulnerability.
Bug bounty programs are offered by most large companies that create software. Bug bounties are incentives for security researchers (also known as ethical hackers) to rigourously test the security of a product by trying to break into it. If they find flaws in a system, they report it to the manufacturer and it can be improved. The discovery of a minor bug may be rewarded with a prize of a few thousand pounds, however, the discovery of a critical error can get be rewarded with upwards of a 80 thousand pounds.
What other methods do hackers use to break into IoT devices?
Hackers use automated tools called fuzzers which send random inputs to a system until it finds a flaw. Fuzzing can help find mistakes and allows hackers to learn about security holes in the system of which they can then take advantage.
This is why its important for security experts to validate all kinds of input data for their device. They need to think like a hacker and use methods like fuzzing to thoroughly test their systems.
Fuzzing? You cant be serious. Next, you’ll be telling me that armies of zombies are taking over the internet.
Actually, that’s true too. If global critical security parameters ( such as default passwords) are used on hundreds of thousands of devices, once that information is disclosed, an attacker can take control of these devices on mass and drive them remotely from a central command computer. The devices essentially become zombies under the control of a nefarious actor and can be used to launch wide-scale attacks on other IoT devices. These controlled devices are known as botnets. They can be used to bring down websites and services on the internet. You would probably not know if your device was part of a botnet.
How do I protect my home from this madness?
When purchasing a new IoT device, look out for an IoT Security Assured certification badge which will be displayed on the product. This badge will indicate that the manufacturer has important security measures in place for that product.