Connected devices have been talked up as the next big thing in the tech world for a number of years now, but have so far failed to reach the level of mainstream adoption predicted by pundits. While various manufacturers continue to pump out a plethora of smart home devices and wearables innovations, the Internet of Things (IoT) simply isn’t capturing the imagination of consumers in any meaningful way.
The main reason for is security, or a lack thereof. Multiple surveys have demonstrated that consumers simply don’t trust connected devices. They have good reason. In many cases, security is an afterthought for companies that make IoT products. Often, they’re keen to get their latest invention to market as quickly as possible – be it a connected belt or a smart umbrella – without putting in the time and effort required to make sure their devices are secure. While this is bad news for early adopters of IoT tech, it’s turned out to be an absolute boon for organised criminals.
As a consequence of the generally poor security of connected devices, hackers and script kiddies are able to gain control of them with relative ease, allowing those who are so mined to exploit the IoT to commit a range of cyber crimes. Unfortunately, criminals can do a lot more with compromised connected devices than stealing bank details or deleting user files. In fact, very real fears have been raised that organised hackers could leverage the IoT to knockout national and international infrastructure, commit acts of terrorism or randomly kill.
In November, experts warned US Congress that the American government must act on IoT security now, urging legislators to force device manufacturers to meet basic security standards or face financial consequences. Harvard security lecturer Bruce Schneier said insecure connected devices presented “catastrophic risks”, noting that drones, medical devices and other objects connected to the internet could endanger life. Prior to that, the European Commission suggested creating a labelling scheme for IoT devices that would demonstrate they were secure, much like the European energy-consumption labelling scheme.
Schneier made his comments after the Mirai botnet knocked out internet backbone provider Dyn at the end of October, forcing some of the web’s biggest sites offline, including the likes of Netflix, CNN, PayPal, Spotify and Twitter. He noted that while the attack did not result in any deaths or damage to property, it demonstrated “how the internet now affects the world in a direct physical manner”.
The Mirai botnet is made up of hundreds of thousands of IoT devices that hackers have gained access to using malware that guesses weak manufacturer-set default passwords. As with the Dyn assault, these devices can be used to launch distributed denial of service (DDoS) attacks which flood websites with millions of requests for data simultaneously, forcing them off the internet. These types of strikes are often launched to distract a site’s security workers while separate attacks are instigated targeting other parts of its network. Since the Dyn attack, cyber criminals have used the Mirai botnet to target a number of European businesses, including Deutsche Telekom, and TalkTalk and the Post Office in the UK.
Networks of compromised IoT devices such as Mirai have made it possible for people with relatively little technical expertise to access the tools required to launch cyber attacks. Anybody with the wherewithal to access dark web marketplaces can buy cybercrime-as-a-service packages from hackers, allowing them to target the digital assets of individuals or companies they have a gripe against. Only last month, the boss of a Welsh payday loans firm was handed a one-year suspended sentence after hiring a hacker to attack his company’s rivals and a feedback website hosting negative comments about his business.
According to a new report from the Institute of Critical Infrastructure Technology, the Mirai IoT network is one of the most profound cyber threats in recent memory.
“In only a few weeks, Mirai has enabled unsophisticated adversaries to stifle free speech on the open internet, to deliver more than 1.1 Tbps of traffic to the French ISP, OVH, to overwhelm Dyn’s DNS systems in the Eastern United States, to hinder heat distribution to citizens in Finland, to launch politically motivated attacks, and to disrupt the online operations of five major Russian banks,” the report notes.
In a separate study, Intel Security’s McAfee Labs said that while opportunities to monetise compromised IoT devices are currently quite limited, owing to the fact that few connected devices are placed on high-value networks, hackers will look to create new income streams from connected objects over the next few years as their use spreads among consumers and enterprises. Healthcare providers are considered to be particularly vulnerable, as they begin to use new IoT technology on unsecure networks.
In the UK, cyber criminals are already targeting the National Health Service with ransomware attacks, demanding large Bitcoin payments to unlock patient data. As devices such as connected insulin pens and pacemakers become more widespread, it’s likely that the first IoT-facilitated murder will take place sooner rather than later unless governments around the world crackdown on connected device manufacturers’ appalling record on security.