How Secure is the Internet of Things?

How secure are you? Really?

After my post about potential security vulnerabilities in smart TVs, I took some time to follow up on the topic.  While I couldn’t find a specific vulnerability targeting TVs, what I did find was hugely troubling.

First, take some time to Google “the Internet of things.”  I’ll wait.

Connectivity

Just about all of our newer devices are in some way connected to every other.  As a result, consumers today have unparalleled access to their entire houses – from laptops to smart TVs to home security systems to refrigerators – from remote Internet connections.

Just this week, my brother was painting a rosy picture of a fully-connected home that would allow him to, among other things:

  • stream media from one room of the house to another (allowing for a consolidated video library to live in one room yet be accessible anywhere)
  • check if the lights were left on while he’s out of town
  • remotely let a friend in the front door to feed the dog

It sounded like a great system.  But it also terrifies me.

Once you open a device to the Internet, you open yet another potential point of attack for would-be hackers.  Don’t believe me?

A refrigerator was discovered among a “botnet” of more than 100,000 Internet-connected devices that sent upward of 750,000 malicious emails between Dec. 23 and Jan. 6. So-called “smart” appliances, like multimedia centers, TVs — and yes, a fridge — were behind more than 25 percent of the volume, Internet security firm Proofpoint reports.[ref]Refrigerator Busted Sending Spam Emails In Massive Cyberattack[/ref]

Is the jury still out?  Then consider this: Target, a major US retailer, was targeted by hackers during this past holiday system.  Hackers installed malware on Target’s point-of-sale machines to slurp up credit card numbers from unsuspecting customers.  Their way in to the system? Target’s HVAC vendor:

Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor.[ref]Target Hackers Broke in Via HVAC Company[/ref]

Hackers broke in to Target by first hacking one of their vendors: a vendor with remote access to Target’s system.  How many vendors have access to your house?

Does your printer support ePrint?  Can you monitor your refrigerator temperature remotely?  Can you check your security system’s status from a smart phone on-the-go?

You’re more connected than you think.

Trust No One…

I’m a Verizon customer.  Say what you will about the company, but I’ve had amazing service during my tenure, and I often use my phones far longer than the 2-year renewal contract requires.  It’s a win-win.

The only downside: I don’t root my devices.

Yes, I know how to root an Android phone (or “jailbreak” an iPhone).  No, I won’t do it.  Why not?  Because my contract explicitly states that I’m not allowed to and, since I work in the world of tech, respecting the contract written by another tech entity is a defining aspect of my career.

This means I have to wait for Verizon to roll out an over-the-air update to my phone when a new version of Android ships.  Usually it’s not too long of a wait, but sometimes it can be months after a new release has hit the market.

Think back to our discussion about other connected devices: Refrigerators and routers and TVs and thermostats are potentially vulnerable because their firmware is rarely (if ever) updated by vendors pushing you to purchase newer devices with newer firmware.  My phone is potentially vulnerable for the same reason – Verizon (or AT&T or Sprint or T-Mobile or …) would rather I just buy a new device than ship an OTA update.

Despite our ongoing relationship – and the large sum of cash I shell out each month for service – I can’t trust even Verizon to care about or proactively support my security.

…Not Even Yourself

I usually refer to my home network as a “trusted” network.  I know all of the devices connected to it and, after a neighbor proved too savvy at spoofing my WPA2 key, use MAC address filtering to make sure only devices I “trust” can connect to it.

But how much can I really trust these devices?

I’ve had friends and family accidentally download malware while innocently searching online for rugs for my living room.  I’ve had guests connect laptops only to discover their local virus scanner had already failed and their machines were active members of a bot net.

Just yesterday, I discovered a known vulnerability in Android (up to version 4.2) that could allow hackers access inside my private network:

Researcher Joe Vennix found that the vulnerability in Android versions below 4.2, which is early Jelly Bean, could be exploited by clicking on a link in a text message, which would send the recipient to a malicious website. At that point, the attacker could throw up whatever Web page they like, while JavaScript is downloaded in the background to exploit the vulnerability.[ref]Beware of Employees’ Cheap Android Phones[/ref]

My cell runs a newer version of Android (which hopefully means it’s not vulnerable to this particular exploit), but some of the other Android devices in my house do not.[ref]My Kindle Fire, which no longer has unfettered access to my local network, is running on the same Android 2.3.3 OS it shipped with.[/ref]  If they’ve been hacked, it means a “trusted” device with full access to my network is open to a nefarious individual whom can do whatever he or she wishes on the inside of my system – with the same level of access the legitimate users of my network have.

I’m not trying to be too paranoid here – but essentially anyone with an Android 4.2 (or lower) device is now a potential open door for hackers into even your most secure network.

I usually trust myself to keep things safe and secure.  Perhaps its time to look at myself and my own habits – like being too connected when I feel safe – as potential inroads for security issues.

How secure are you?  Really?