The Internet of Things is seen by many as the next great technological leap of this generation. Internet connectivity is all about convenience, and the rapidly lowering prices of the hardware necessary to get online are making it easier than ever to connect just about every object on the market. However, the IoT is still in its early stages, and that means criminals from all around the world are working diligently to break it.
There is already a major problem of people not taking proper cyber security precautions with devices such as smartphones, and this issue is only going to get worse with the introduction of unconventional connected devices. So where do challenges lie, and what should the average consumer do to overcome them?
The number of ways hackers are developing to gain access to IoT devices are just as varied as the number of gadgets out there. Trend Micro researchers have noticed that a lot of these IoT machines rely on outdated protocols such as TCP/IP. This is cause for concern because hackers have had years to devise ways to bend these protocols to their whim. What's more, the operating systems that IoT devices use are generally out of date as well, which simply compounds the problem.
However, perhaps one of the easiest ways hackers will access IoT machines is due to a lack of proper password protection. As stated, a lot of people have trouble understanding that their smart devices need just as much protection as their computers, and in fact function in very similar ways. To that end, a large portion of the population isn't aware that IoT gadgets often have passwords.
Much like many other pieces of hardware, certain IoT machines have preprogrammed default passwords to allow workers in the factory to test the device's functionality. When people don't change these passwords, they're opening themselves up to attack. Hackers can very easily find these phrases online – or even guess them – which allows them to gain control over the device's inner workings.
Hackers have proven they can own these devices
Clearly, there are a lot of security issues within IoT gadgets, but where does the extortion come in? Well, hackers Andrew Tierney and Ken Munro decided to answer this very question at DEFCON 2016. This pair went ahead and developed a method for downloading ransomware on a smart thermometer, the exact brand of which they refuse to disclose.
Basically, this attack works much like a regular ransomware infection in that the user no longer has direct control over the device. However, the key difference is that instead of encrypting files, this particular piece of malware cranks the heat up to 99 degrees Fahrenheit and literally sweats the victim until they pay a ransom of one bitcoin. To add another layer of misery, Tierney and Munro changed the PIN needed to to unlock the device every 30 seconds.
Although this particular attack was levied via a local SD card slot connection, it certainly could have been pulled off from far away simply by fooling the victim into downloading malware onto the device. What's more, Tierney raised the point that a hacker could also easily sell a used smart thermostat online with the ransomware already present.
There is hope
Despite all the doom and gloom here, users shouldn't steer clear of the IoT just because it has security vulnerabilities. To begin, quite literally every connected device can be hacked if proper cyber security measures aren't taken. Something as simple as changing the default passwords on your IoT gadgets could easily prevent disaster.
On the other hand, there's a lot of money going into IoT security research right now. In fact, Gartner expects IoT cybersecurity spending to exceed $547 million by 2018. As the trend's popularity continues, this number will most likely continue to go up, but the point here is that there are people working to make the IoT safer.
With the increasing number of IoT devices comes the risk of extortion. But, the same could be said with the increase in smartphones or laptops or tablets. Those willing to take the extra steps necessary to protect themselves will most likely be able to avoid a run in with a hacker.