Like many people, I use automation in my home. I use it to tell me when my garage door is open, what the temperature is in my home and various other things. I do so knowing that there is a slight trade-off for the convenience that I am getting….there is some vulnerability for hackers to have some fun with me.
Now, it’s not that I don’t take some precautions. I use a pretty advanced home router (one that is corporate grade) and I use passwords on all devices. I also have taken some other security precautions that most people would not.
At the same time, I am not naive enough to think that I could not be hacked if someone skilled enough really wanted to. I feel that I am somewhat protected by two reasons…..First, I am harder to hack than some and people tend to focus on doing the least amount of work as possible. As well, the devices that I use automation on do not have a lot of downside if they are hacked. I mean….if someone really wants to steal my 9 year old lawnmower, then feel free to override my system and open my garage door.
However, as we progress into the world of IoT, security will become even more important than it is now. Now, we are starting to see vital pieces of information retrieved from IoT solutions, so its security is vitally important. And, as the spotlight is put on IoT, there have been some glaring holes…
• It appears that Google has some work to do to further secure its Nest products, as the hackers at Black Hat were able to access the systems in a matter of seconds!
• It’s a spine-chilling thought that many of the scanners at US airports were actually using default passwords that could be overridden by some hackers if they desired.
• Apparently, according to Black Hat, Philip’s Hue solution (to allow you to control your lighting systems) actually has an easy loophole that allows any hacker to know your product’s serial number, its MAC Address and its internal IP address.
Now, it is important to note that for some of the consumer applications, the consequences might not be as dire (i.e. someone turning off my lights will not likely cause any huge physical harm). However, the same cannot be said for Corporate or Security applications. The idea of being able to temporarily override an airport scanner would open us up further to possible terrorist attacks, as an example. This is not even to mention what happens if someone were to gain control over such things as power grids, traffic systems or Air Traffic controller software.
So, is IoT doomed?
Hardly. In many cases, some of these loopholes can be closed by the consumer itself. Many of the hacks were done because they simply used the default password that these devices get assigned from the factory. One easy step is to change that password before using the device for the first time. This will prevent a large percentage of the attacks. The other is to put more stringent rules on the firewalls/routers at home. Most people have no authentication on devices and do not block many key ports that hackers are known to use. Finally, the last thing is to use encryption wherever possible on devices.
However, even if one uses all of these steps, much of the blame/responsibilities comes from the manufacturers of these devices. It is not reasonable for one to expect the general public to have an extensive understanding of IP-based security, so the solution providers need to do a better job in locking down these services, whether through pre-configured solutions or better over the air activation procedures.
The Bottom Line
We need to use these stories as a wake-up call. To date, I have seen some extreme security solutions / procedures used in most of the thousands of IoT solutions that I have been involved in. They take great precaution in all areas of security, ranging from physical access to IP security to strength of passwords / extensive use of encryption. However, the same cannot be said for many of the IoT solutions that are sold to consumers today. Consumers need to take precautions, such as doing all that they can do from a security side and in some cases even deciding if they are willing to live with the consequences of a security breach (whether at their end or at their providers) before they deploy these solutions in the first place.