Internet of things in the vanguard but vulnerable to hacks

Listen to this article

You’d be hard-pressed to find an everyday appliance that doesn’t have an internet-enabled version.

Interested in a Bluetooth-enabled toothbrush that tracks your oral hygiene? Beam from Suitable Technologies Inc. and Oral-B from Procter & Gamble Co. have options for that.

Need a wireless sound system built right into your office chair? There are seemingly an infinite number of options available for that.

How about a smart dog collar that not only keeps track of your dog’s location, but also the number of steps taken and how hot or cold they are? Would you like that in leather or sport?

As inexplicable as many of these products may seem, there is no question among tech industry experts that the future lies in the “internet of things,” or IoT, a method of creating products connected in some way to the internet. From advanced car tech to Amazon Echoes, IoT is quickly touching every facet of daily life and it’s becoming bigger and bigger business. According to a study by Boston-based global consultant Bain and Co., the global IoT market is expected to hit $520 billion in 2021, more than double the 2017 number of $235 billion.

But experts in the world of cybersecurity see a need to pump the brakes a bit, noting that bad actors get more chances to breach people’s or business’s networks the more they integrate products with internet capability.

“I don’t think we have any choice,” said Paul Greene, a partner at law firm Harter Secrest & Emery LLP who leads the firm’s privacy and data security practice. “We, as a society, love and hate surveillance, we want targeted advertisements, we want a better deal on things than our neighbors, we want devices that will open our car and lock our house doors, but, at a certain point, things shift and they seem creepy.”

“Creepy,” in Greene’s sense, means the invasion of privacy that a good chunk of IoT tech fosters. Fears of an “always listening” device have existed since the explosion in popularity of the Amazon Echo or Google Home. While the companies deny that they spy on their users to create targeted advertisements, the tech is there. Looking past the valid fear that these devices could inadvertently record and transmit a private conversation, which happened to one Echo-owning couple last year, the larger concern revolves around just how secure these brainy tools really are.

Rochester’s Innovative Solutions sees difficulty arising from how varied and unstandardized IoT devices are. They are more and more of them, with varying software, said Bill Knitter, director of IT services. “The challenges we have with traditional mobile device management are all exacerbated with managing IoT devices.”

Echo, Google Home and Siri for iPhone all function based on an always-on microphone. The devices are always listening, recording short samples of ambient sound and deleting them until they are activated by their trigger phrase (“Alexa,” “Okay Google” and “Hey Siri,” respectively). Of course, these devices can all be hacked, although large tech companies have good incentive to create their own internal cybersecurity protocols to protect users.

“If you really are a Google person, you can have a Google account that controls all of the devices that you have in your home, in your car and on your phone, … and you can get a report every day from Google telling you what needs to be updated and what the risks are,” Knitter said. “Just like when a credit card company calls you and tells you your credit card is at risk.”

Knitter calls this a very company-powered, free-market capitalist solution to the security issue that can make IT consultants’ lives easier. However, it’s a solution that leads right back to the issue of standardization. If there is no sweeping protocol in place that says what sort of security measures are needed to protect users, each company’s products will secure themselves differently. Some might have tight, easily monitored security measures. Others may be loose or easily compromised, and if one part of a user’s network is broken, the entire system can be compromised.

“Putting aside the issue of how IoT can help companies, I’m really focused on how they can harm them,” Greene said. “Every IoT-connected device is a surface area that can be attacked on a network. It is a vehicle that can provide protected or otherwise sensitive information to a threat actor, and it’s also a weapon that can be used against even unrelated networks in the form of denial of service attacks or IoT-launched attacks.”

A denial of service attack is a form of cyberattack that causes massive numbers of fake requests to be sent to a specific server, causing difficulty for legitimate users to gain access. On Oct. 21, 2016, hackers were able to use a massive number of unprotected internet-enabled devices to launch a denial of service attack against domain name system Dyn, which in turn caused a large number of popular websites, including Reddit, Tumblr and Yelp, to be inaccessible. A total of three attacks were launched throughout the day.

That collection of devices is known as a “botnet,” a series of unrelated and unprotected devices infected with a virus that, in tandem with hundreds or thousands of other devices, are used to launch attacks, steal data or send spam. It’s nothing new—if your computer has ever had a virus it’s likely it was used for a similar purpose.

IoT, however leaves more holes for the hackers to leak in.

“That’s the new reality for entities large and small,” Greene said. “It’s a danger that many people are crying wolf about, but maybe it’s not really wolf that they’re crying. We’ve seen IoT denial of service attacks—that’s been around for a number of years now—but until that starts to affect Main Street, the magnitude of that threat won’t begin to be fully understood.”

In context, there have been many, many data breaches through IoT, the majority of which didn’t cause lasting damage. Some were deeply unsettling, such as the case of the man who hacked into a Houston couple’s Nest baby monitor to hurl sexual expletives at their baby late last year. And in typical internet fashion, some were just racist, sexist, homophobic or anti-Semitic, such as the case of the “white supremacist hacktivist” who broke into unprotected printers across North America to print ads for a white supremacist website, complete with swastikas, in 2016.

Ultimately, Greene sees an inevitability that there will be a moment where real security protocol will become the norm in IoT devices, but to make that happen, it’s likely going to take some sort of trouble. He compares it to the payment card industry data security standard (PCI DSS), an industry-wide information security standard for payment and credit cards, established in 2004.

“Unfortunately, it may take a problem,” Greene said. “A lot of the legislation in this space is reactive rather than proactive. Even PCI DSS came about because of an explosion in credit card related breaches and the realization that security, in many cases related to payment cards, was abysmal.”

[email protected]/(585) 653-4022