Technology Reports:

The ‘Internet of Things’ & our security – Should we be worried?

Security matters…

But why? As explained on the previous page, suppliers of more traditional internet connected devices are working hard to block the the efforts of the ‘wild west web’ bad guys and to a large extent are keeping them at bay (for the time being at least).

It is, of course, in their vested interests to protect your (and their) investment in this expensive / sophisticated equipment, from which they make so much money and by so doing make it more likely that you will buy the next generation of kit from them rather than somebody else.

Unfortunately, the economics of IoT devices are completely different. The maximum add-on cost that most consumers would tolerate to add internet connectivity to a basic item of equipment is distinctly limited – let us say in the order of £10. Any incremental cost of much more than this would just not stack up against the traditionally low cost of such basic electrical items (e.g. coffee maker, electric light switch, central heating thermostat etc.).

For this reason, the designers of such devices will do everything they can to avoid incurring additional development and manufacturing costs – so no fancy packaging, the use of the simplest possible Web-based Graphical User Interface (GUI) and, above all, an absolutely minimal investment in device security (both initial and ongoing).

Now, you might not think that any of this matters – after all, what’s the worst that can happen? A hacker gaining access to one of my IoT devices would only be able to switch my electric kettle on, or turn my heating up a few degrees, right?

Of course, it’s not that simple.

Any network (home, office or anywhere else) can be considered as being like a series of important assets (your devices) which are all placed behind a ‘protective fence’ made up of firewalls, internet security software, encryption of data, access control mechanisms (user names, passwords, fingerprint scanners, PIN numbers etc.). This fence is taller / stronger in certain places (for example at the router) and lower / weaker in others (invariably IoT devices).

All a hacker has to do is to breach this fence somewhere (typically where it is weakest) and once through they can behave as if they are the device at the point of access and get to pretty much anything else within the same network, including your supposedly secure data files:

Creating so-called ‘attack vectors’ (methods by which a system can be attacked) for IoT devices is made even easier for hackers as they can buy them for not-a-lot of money off the shelf and can be sure that the simple operating system will be virtually identical on any similar device that they can find on an unprotected network - they can even buy custom scanners to search across the world wide web for such devices.

This type of insecurity has actually been well known for some time now in relation to webcams (one of the original IoT devices), with some shocking research demonstrating how trivial it is to access live footage of a baby sleeping in a cot, security cameras in schools and hospitals and even cameras set up to remotely monitor marijuana plantations! (Ref). Unfortunately, similar techniques can be utilised in accessing any device with only low level security and a simple Web GUI.

So it is clear that the IoT is coming to all of our homes in a big way and it does indeed bring many benefits, but it should hopefully now be clear that it comes with a big caveat – it is likely that in future most crime will not be physical in nature (e.g, breaking and entering), but will be instigated online – so-called ‘Cybercrime’.

This type of crime can bring huge financial benefits with comparatively little risk of the instigator(s) being caught and the IoT hugely multiplies the number of weak points in any network through which an attacker can gain access. So what can we do to protect ourselves?

For our simple guide to the common-sense measures that we can all take to minimise the risk to our own home network, take a look at our article Internet Security – Basic Recommendations.

Back to Technology Reports

TechReport (UK)