This week, NCCIC, in collaboration with cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States released a joint ‘Activity Alert Report’. What is alarming in the findings is that a majority of sophisticated exploits on secure networks are being carried out by attackers using freely available tools that find loopholes in security systems.
The Internet of Things (IoT) is broader than most people realize. It involves diverse elements that make it possible to transfer data from a point of origin to a destination. Various Internet-ready mechanical devices, computers, and phones are part of your IoT, including servers, networks, cryptocurrency sites, down to the tracking chip in your pet’s collar.
Your IoT does not require a person to person interaction. It also doesn’t require a person to device interaction, but it does require device to device connections and interactions.
What does all this mean to you? It means hackers have more points of entry into your personal IoT that you ever dreamed of.
Here are some of the ways they can infiltrate your personal IoT devices along with some suggestions on how to keep them out.
Your home network
How many functions are controlled via a home network? From your security system to activating lighting at dusk to changing the setting on the thermostat, many people set up automatic tasks or use remote access to manually adjust so many things. It’s convenient, but it comes with a degree of risk.
(Image courtesy of HotForSecurity.BitDefender.com)
Hackers who are able to detect and penetrate the wireless home network via your thermostat or the lighting system eventually burrow into other areas, like the hard drive where you keep financial documents. Before you know it, you’re a ransomware victim.
Too many people think their OS firewall will protect them but by the time a hacker runs into that, they’re already in your computer and can jump out to the wireless devices we’ve been talking about.
What can you do about it? Take a cue from your bank. Have you ever tried to access your account from a device that the bank doesn’t recognize? If so, then you know the bank’s system requires you to provide additional means of identification, like a fingerprint scan or answering a security question.
That process is called multifactor authentication. Unless the hacker can provide more information, the system blocks the attempt. Make sure your home network is setup to require additional authentication when any device other than your phone, home computer, or tablet is used.
Spyware/Malware from websites and email attachments
Hacking via email attachments or picking up spyware and malware by visits to unsecured sites are still possible. Since these typically download to your hard drive and run in the background, you may not notice anything at all for a time. All the while, your data is being harvested.
You can do something about it. Keep your security software up to date and always load the latest release of your firewall. Never open attachments with unusual extensions even if they appear to be from someone you know. Always use your security software to scan attachments of any kind rather than relying solely on the security measures employed by your email client.
Only visit secure sites. If the site address begins with “http” rather than “https” that’s a sign you need to leave it alone.
Remember to update your security software at least once a week. Automatic updates are a good thing. Don’t forget to initiate a full system scan at least once a week, even if there are no apparent problems. Do so after making sure you’ve downloaded and installed the latest security updates.
Your pet’s microchip
The point of a pet chip is to help you find your pet if it wanders away or is stolen. While not GPS-enabled, it’s possible to scan the chip on an animal who ends up in an animal shelter or clinic and confirm a match. Unfortunately, that function is managed over a network. That means hackers can use it as a gateway.
(Image courtesy of HowStuffWorks.com)
Network security determines how vulnerable you are in terms of who can access the databases and come up with a match. Your best bet is to find out what security measures the chip manufacturer employs, including how often those measures are updated. If you don’t get straight answers, go with a competitor’s chip.
Your child’s toy
Have you ever heard of a doll named Cayla? It’s popular in Germany and also happens to be Wi-Fi enabled. That means hackers can gain access to the camera and microphone included in the doll design. Wherever the doll is carried, it’s possible to gather data that can be used for all sorts of activities. That includes capturing information about passwords, PIN codes, and anything else that’s in the range of the camera or the microphone.
Internet-enabled toys need to be checked for spyware regularly. More manufacturers provide detectors in the toy designs. You may still need to initiate those scans and keep the software updated. This increases the odds that the toy remains a toy and doesn’t become a spy for some hacker.
Infection from trading electronic files
It seems pretty harmless to accept a digital music file from a friend. In most cases, there is no harm. Unfortunately, your friend’s digital music collection may already be corrupted. Once you load that corrupted file onto your hard drive, your computer is now part of a botnet network running behind your own home network.
(Image courtesy of: AlienVault.com)
Whenever you receive a digital file, either via email or by someone stopping by with a jump drive, always use your security software to scan it before downloading it into your system. The software should be able to catch the infection. If you find anything, let your friend know so he or she can take steps to debug the original file.
These are only a few examples of how your IoT can be hacked and lead to data theft or corruption. As with any type of internet-based infection, there are new strategies developed daily.
How Blockchain might help
There’s one major IoT design flaw that allows hackers to easily get into a system and that is the centralized nature of the network’s decision-making. There is a single point of control through which all requests are routed and decisions are made. A hacker has only to penetrate this singular authority to take control of everything because individual devices can’t decide on their own what constitutes a threat.
Interestingly enough, the blockchain technology that underpins Bitcoin and many other cryptocurrencies might eventually provide a solution to the extremely hackable state of the IoT as presently configured. While not a perfect solution, the decentralized nature of blockchain has a lot of companies spending plenty on research and development for eventual deployment to a host of uses, including the IoT.
The advantage blockchain technology offers to IoT is that it removes the single point of control and allows each device on a network to work in conjunction with the others to detect and thwart hack attempts. Blockchain works through group consensus. This means that in order to take control of a system, a bad actor would have to be able to take control of a majority of the devices all at once, which is an exponentially harder task than breaking through the single point of control model.
If a blockchain-powered IoT network detects an intrusion attempt and the group decides it is malicious, it can be quarantined so that no damage occurs to the network.
That’s the theory anyway.
Since blockchain is an almost brand new technology, there are hurdles to be overcome before it can be deployed on a wide scale as a solution to IoT security problems. Here are a few:
- Computing power costs – It takes plenty of computer resources to run a blockchain. More than the average household owner is willing to pay right now. That’s why the focus is on industrial IoT uses at present.
- Legal issues – If you have AI-powered devices making decisions on their own, who will bear ultimate responsibility when things go wrong?
- Volatility – The development around blockchain is young and unpredictable. Investing in a solution right now might mean having to buy all new equipment in a year.
One thing is certain. We have a huge problem (IoT security) and what might eventually offer a solid solution (blockchain technology). Expect the path to get from here to there to be filled with potholes and dead ends but stay tuned. The potential for a truly revolutionary technology to come into its own is definitely in the mix.
About Gary Stevens
Gary Stevens is a front-end developer. He’s a full-time blockchain geek and a volunteer working for the Ethereum foundation as well as an active Github contributor.
Defending your business from the next wave of cyberwar: IoT Threats.
5 DIY IoT projects you can build under $50
IoT botnets Mirai and Gafgyt target vulnerabilities in Apache Struts and SonicWall