As consumers all over the world buy and install smart devices in their homes, all those cheap interconnected devices are creating new security problems for individuals and society as a whole. The problem is compounded by businesses radically expanding the number of sensors and remote monitors they use to manage overhead lights in corporate offices and detailed manufacturing processes in factories. Cities, with smart adaptation in mind, especially want to use new technologies to improve energy efficiency, reduce traffic congestion and improve water quality.
The number of these IoT devices is climbing into the tens of billions. They’re creating an interconnected world with the potential to make consumer’s lives not only more efficient, but enjoyable, productive and secure as well. Yet, those very same devices, many of which have basically no security protections, are also becoming a part of what are called “botnets,” vast networks of tiny computers vulnerable to hijacking by hackers.
Throughout the variety of devices – webcams, vacuums, stuffed animals and more, many are manufactured from small and relatively unknown companies that lack brand reputation and protection. These manufacturers aim to produce and sell tons of devices as cheaply as possible. Which means that customers’ cybersecurity isn’t much of a priority. It also means that there is a wide range of vulnerabilities. They include weak passwords, unencrypted communications and insecure web interfaces. With thousands, or hundreds of thousands, of identically insecure devices scattered all over the world, they’re a wealth of targets ripe for the hacking.
A recent example of this involves connected Nest Cams that were initially reported as having been hacked to issue fake nuclear bomb threats. A family in Orinda, California went through “five minutes of sheer terror” – when they heard a very legitimate-sounding emergency warning that Los Angeles, Chicago and Ohio had only hours to evacuate before alleged nuclear weapons hit the named cities. However, this isn’t a hacking case. It’s actually a case of a reused password. Because the Nest owner had used per password more than once, the user’s credentials had been compromised and other users were able to access the account with no hacking tricks necessary. From there, the fraudulent message was able to do its damage by using the Nest’s “Talk and Listen” feature.
This could all be avoided by simply changing a password to something more secure (as in on you’ve never used before) and setting up a two-factor authentication system (2FA). But of course, it may not always be as simple as this. Sometimes manufacturers set unchangeable administrative passwords on devices – which happens a lot more often than you would think – and hackers can run a program that will search the internet for these devices, login to them and take control over the devices by installing their own malicious software, and thereby recruit the device into a “botnet army” so to speak.
The size and scale of these attacks – and the broad range of devices that can contribute to them – make this both a private problem and a public one. People want to secure the devices in their homes and pockets, of course. Yet the same networks that stream television shows and music also link burglar alarms to police, manage traffic lights in congested areas and let self-driving cars talk to each other.
All that activity can be drowned out if hackers flood the internet, or sections of it, with meaningless messages. Traffic would stall across towns, even counties, and police officers would have a hard time communicating with each other to try to straighten everything out. Even small devices, in their hundreds of thousands, all around the world, can work together to have huge repercussions both online and in the physical world.