Written: January 24, 2017
The last few years have seen a proliferation of “smart” devices of every imaginable kind – smart toasters, smart ovens, smart thermostats, smart lights, smart outlets, smart garage door openers – you name it. What makes these devices smart? Two things: an Internet connection, and just enough computing power to be controlled from a smartphone app. Essentially, these new items are all Internet-connected computers, which means they have the potential to be hacked the same as any other Internet-connected computer, especially if they feature lax security.
As it turns out, that’s precisely what many of them do feature, and we’ve now seen evidence both that individual devices can be hacked with malicious intent, and that whole networks of these devices can be taken over en masse and repurposed as part of distributed denial of service attacks and other nefarious activities. The additional problem is that many of them, though smart enough to be hackable, aren’t smart enough to be reprogrammable with better security, so once they’re installed there’s really not much that can be done to fix the security vulnerabilities short of shutting them down entirely.
In theory, though, there’s nothing about IoT devices that makes them inherently less secure than any other computer – it’s the level of security manufacturers and other ecosystem players choose to imbue them with that matters, just as an unsecured PC without a firewall or antivirus program installed is eventually likely to be compromised. The better IoT vendors will install security precautions of various kinds to ensure their devices can’t be compromised in this way, and smart consumers will buy those products. But many IoT devices – including the security cameras involved in the Mirai attacks – aren’t bought by discerning consumers but by corporate procurement departments looking to score the best deal on gear they buy in bulk.
Both IoT vendors and buyers of the gear need to take these issues more seriously, especially when it comes to equipment that can be used to hurt people (such as medical equipment). Routers and other gear which networks these devices also need to provide better security, as the FTC has recently argued by filing suit against D-Link. But in the meantime, we’re going to see lots more stories about home automation gear, medical equipment, and a whole set of other IoT devices being hacked and compromised.