The internet of things can be hacked – and the risks are growing every day

Mo' tech, mo' problems

We’re rapidly entering a new phase of technological evolution, in which pretty much everything around us is connected to the internet. The term used to describe this increasingly connected ecosystem is the internet of things (IoT), and it’s attracting the biggest names in tech, from Apple to Samsung and everyone in between.

If the tech pundits are right, everything from toasters to light bulbs will soon have internet functionalities.

While connected technology provides a plethora of new and exciting possibilities, it also brings challenges – and the biggest challenges of all involve security. Any internet-enabled device is potentially vulnerable to attack from hackers – so imagine the risks when virtually every object and appliance we use is connected.

Much of the tech-using public remains unaware of such threats, despite repeated warnings from governments and industry bodies; according to Canonical, the company behind operating system Ubuntu, around half the British population is unaware that connected devices can be hacked.

Yet the dangers are all-too real. From taking control of connected cars to using everyday appliances such as fridges as to launch catastrophic cyber attacks, hackers are taking advantage of the IoT big time.

Compromised cars

One industry that’s been quick to seize on the potential offered by the internet of things is motor manufacturing. Car makers are increasingly launching models that sport internet-enabled infotainment systems and hubs, and driverless cars aren't far behind. But while the connected car industry is booming, the road ahead is far from smooth.

Last year the FBI teamed up with the US Department of Transportation and the National Highway Traffic and Safety Administration to warn people about cyber security threats to cars. This followed a controlled experiment by two hackers, who were able compromise a Jeep Cherokee while it was travelling at 70mph by turning the steering wheel and applying the brakes remotely. 

If this were to happen in the real world, lives could be put at risk. Adam Boulton, senior vice president of security technology at BlackBerry, says that both manufacturers of autonomous and connected vehicles, and consumers, need to be aware of the security implications. Boulton envisages an era in which cars are held to ransom by hackers, and sabotaged or used in cyber attacks.

“We are already seeing connected cars on the market that incorporate automated features such as adaptive cruise control, automatic parking, and traffic jam assist,” Boulton says. “This needs to herald an era of reduced accidents, lower pollution, eased congestion and greater productivity.”

“However, without adequate security technology underpinning these vehicles, they could herald an era of engines being shut down remotely, cars being held to ransom by hackers or even being used to support DDoS attacks on major websites. 

“Preventing malicious actors from taking control of vehicles requires a delicate balance in engineering, not only ensuring the vehicle is secure but also remains safe. Connected vehicles require advanced technologies like secure boot to ensure the integrity of the vehicle is intact.”

Meddling hackers

As well as hacking into computer systems to cause chaos, cyber criminals are increasingly attempting to exploit connected gadgets such as Wi-Fi routers, webcams, smart thermostats and wearables to launch wide-scale attacks on companies and organizations.

Mirai is a popular form of malware among hackers, offering the ability to turn systems into botnets to initiate network compromises. In September 2016, hackers used 152,000 consumer IoT devices to initiate a distributed denial of service (DDoS) attack on French hosting provider OVH. They were able to inundate the company with 1Tbps of traffic, causing mayhem for customers around the world.

Consumers and their devices have essentially become unwitting accomplices in cyber attacks, and there’s nothing stopping this from happening again. Paul McEvatt, senior cyber threat intelligence manager for the UK & Ireland at tech giant Fujitsu, predicts that we’ll see more such incidents happen in the next few years.

“As we continue to see the exponential growth of internet of things devices, we will continue to see security issues we hadn’t even considered before,” he says.

“When an architect pulled together the design of smart motorway noticeboards, they wouldn’t have considered that hacktivists would target them to display politically motivated messages. The same is true of IoT manufacturers who built the hundreds of thousands of CCTV cameras, DVRs and SOHO routers that now make up the IoT ‘Mirai’ botnet.

“Lessons will clearly be learned from Mirai, such as avoiding hard coding default passwords but many of the protocols designed for smart connected devices will have their own potential flaws and vulnerabilities.

“Attackers have exploited these vulnerabilities to their advantage already, so while ransomware having the ability to take out a city of ‘smart’ connected lights would have seemed unlikely and unfeasible 12 months ago, recent events have changed that perception.”

McEvatt blames manufacturers for these issues. “The issue is that manufacturers are failing to implement robust security controls from the outset, whether that’s for routers, smart devices or connected cars,” he adds.

No device is safe

The internet of things industry is expanding exponentially, with consumers flocking to the shops to get their hands on the latest connected tech. Cyber criminals see this as a lucrative opportunity, as in most cases consumer-ready hardware can be relatively easy to hack.

According to recent research, hundreds of millions of internet-connected devices are vulnerable to attacks from cybercriminals. Nick Shaw, vice president and general manager for antivirus software maker Norton, says common devices such as smart TVs, home security systems and baby cameras are all hackable, and can be exploited as botnets, or for ransomware and fraud.

“As we continue to adopt more internet-connected devices in our daily lives cyber criminals are starting to pay attention,” he says. “We’re seeing consumer devices being hijacked because they are connected to the internet and their default device passwords have not been changed.

“From laptops and mobile phones, to fitness trackers and routers to home security systems, smart TVs and baby monitors, any internet-connected device is a potential target but the ones with default passwords, infrequent updates and poor security protocols are the most vulnerable.”

“Often consumers don’t register that their connected wearables or home devices are exposed to the same risks as their laptop or mobile phone. As such they don’t take the steps to secure them properly.”

Shaw adds that consumers can reduce the risk of their devices being hacked by change the default device credentials, disabling unused services, modifying the privacy settings of the device and ensuring firmware is up to date.

The internet of things is still in a state of relative infancy, and as it continues to expand and evolve it’s likely that the security threats it brings with it will become more complex and widespread.

There’s now an urgent need for manufacturers and other organizations to develop safeguards to stop hackers in their tracks – and we can all play our part by exercising a little common sense to reduce the chances that we, and our IoT devices, will be the next victims.