Last week, I saw several news stories about dramatic hacks of home IoT devices. One involved a hacker using a home security camera to talk with an 8-year-old girl. Another showed a hacker taunting a family with loud noises and racial slurs.
It might seem obvious that a webcam is something that needs to be secured from hackers. But what about all the other IoT devices connected to one’s home network? I often hear comments like “okay, so someone hacks my smart light bulb. They can change the color of the light in my room. Big deal. And besides, why would someone target a light bulb, when they could be hacking banks and credit card accounts?”
Think again! The most humble IoT device, such as a smart light bulb, likely has full access to your home network. That means it can access every computer, storage device, and every other IoT device on your network. Any confidential bank information backed up on the network storage device? Any confidential documents from work? A hacker who successfully compromises the smart light bulb has full access. In the case of the Ring cameras that were the subject of the above news stories, it appears that the cameras themselves were secure, but passwords revealed by hacking other home IoT devices were used to log into them.
A compromised device can also be used to hack anonymously, since the hacking attempts will appear to originate from the victim’s network instead of that of the hacker. In some cases, the victim may not even be aware that the device has been hacked, since it may appear to be functioning normally. In late 2016, hacked thermostats and other smart devices were used for denial of service attacks that crippled a large portion of the internet.
We all love to hate Windows updates, which seem to occur right when we need to get something done right away. But such updates serve a valuable purpose. They fix newly-discovered vulnerabilities before hackers have a chance to exploit them. They are supported by Microsoft – a huge company with vast resources. Will a company that makes a $15 smart light bulb have similar resources to ensure that vulnerabilities are patched? Even if they do, how will these updates be deployed? When was the last time you updated the software in your smart light bulb? How many smart light bulbs even have the capability of having their software updated when critical vulnerabilities are found?
This all assumes, of course, that the company that made the IoT device is honest, and does not have ulterior motives. But even that is not always the case. Does the company that made your smart TV have a known reputation for honesty and transparency? Or is the reason they are able to sell the products at a “bargain price” perhaps that they make money in other ways besides the sale price? For example, a smart TV that collects information on your viewing habits and sells them to a marketing agency? Or a drone that uploads its captured footage not only to your social media accounts, but also to a foreign government’s servers?
This is not to say that IoT devices are “evil”, and should not be used. They can provide significant value when used with due consideration of security, and full understanding of how any collected data is used. But many people don’t think twice. They assume that since they only paid $15 for a smart light bulb, or $60 for a security web camera, that their risk is limited to $15 and $60 respectively. And that is far from the truth.