That Internet-Enabled Device Under the Tree is an Open Door for Cybercriminals

The baby started to fear the dark when he was three. It wasn’t an unusual fear or an unusual age for night terrors, so at first his parents went through the usual motions. Don’t be afraid. There’s nothing out there, it’s the same room as it is in the daytime. It’s the chair, the dresser, just shadows. There are no monsters.

But there were.

There were voices, the child whimpered, speaking to him in the darkness. “Wake up little boy,” they said. “Daddy’s looking for you.”

The fear was so persistent and the phrasing was so unusual that the parents didn’t know what to make of it. Then, one night, as the mother was entering her son’s room, her husband heard it, too. “Look,” it said. “Someone’s coming.”

And then it was silent. But on the small Foscam baby monitor that they had placed in the room to watch over their sleeping child, the woman could see the night vision lens slowly turning to look her over.

Although it’s certainly a horror story, it’s no movie, and there is good reason to be afraid. The internet-enabled camera had been hacked and was being controlled by someone outside the family. There was no way to know who, or where.

And it’s not an isolated incident. A 2015 Computerworld article lists a half dozen similar incidents, many involving small children.

Welcome to cybersecurity issues on the Internet of Things.

Like Other Technology Waves, The IoT Is Being Rolled Out Without Security Considerations

It’s almost the first thing you hear when you hear the IoT mentioned in media today—what is the world going to be like when hackers can attack your coffee maker and dishwasher? Although it’s fodder for a lot of late night television jokes, the problem is real and serious. IDC projects that global spending on IoT will exceed $1 trillion by 2020, with almost 31 billion separate devices connected to the internet.

Many of those devices will not have been properly secured coming off the assembly line. Some of them will be abandoned by their manufacturers and live out long years in service without any official patches ever being delivered. And many of them will end up on networks you are responsible for, quite possibly without approval or permission.

Although the news focuses on consumer uses, the IDC predicts the largest user segment to be commercial and industrial. This puts the issue squarely in the wheelhouse of corporate information security teams, most of whom are not prepared for the proliferation of semi-independent smart devices.

The great danger lies in the sudden explosion in complexity. Small, cheap devices with significant flexibility and processing power will overwhelm existing tracking and security systems. For perspective, the global install base of PCs is expected to be about 4 billion by 2020, and another 6.1 billion smartphone users… Combine both of these and multiply it by three, and that’s the number of IoT devices expected to come online over the next two years.

That’s not a lot of time to prepare, and even less when you consider the exploits have already begun.

IoT Devices Are Already A Significant Threat Without An Easy Answer

The threat rapidly moved from theoretical to real in 2013. Security researchers uncovered a botnet being used for massive spamming attacks that was almost 25 percent composed of smart devices, including TVs, multimedia home entertainment devices, and at least one refrigerator. Wireless cameras have been getting hacked for a long time, but now they are being repurposed as hacking tools themselves—a vulnerable model was turned into a botnet for DDOS attacks in 2016.

These attacks are simply conventional hacking techniques that are being applied to the generic processor and operating systems that run IoT devices, however. In fact, it’s not clear in many cases that attacks have been made specifically against the IoT… the worms that are used are aimed at specific software vulnerabilities, which also happen to be present on these devices.

When hackers start going after the specific capabilities offered by these IoT devices, cybersecurity professionals are looking at a whole new world of hurt.

A preview of this brave new world came in 2010 when a new virus called Stuxnet was found infecting a specific brand of PLC (Programmable Logic Controller) boards from Siemens. It developed that these type of PLCs were those in the core of centrifuges being used by the Iranian government in its nuclear weapons development program to refine uranium. The virus caused the centrifuges to overspeed, ruining the expensive equipment.

Although Stuxnet had all the hallmarks of a limited, state-sponsored attack, black hat hackers are sure to follow their lead. Cybersecurity researchers have already begun to uncover specific security holes in devices that can be leveraged to accomplish everything from stopping heart monitors and drug dispensers, to crashing vehicles and bugging Barbie dolls.

When programmable, connected hardware is integrated with machines that haven’t used it previously, many new advantages and capabilities are unveiled. But so are many vulnerabilities, leaving cybersecurity experts scrambling.

So far, the response has been largely a redoubling of the same basic security precautions recommended for all networked devices. It’s not clear that this strategy is even entirely possible considering the proliferation of devices.

Experts are calling for device developers to put more security consideration into product design, but if history is any guide, economics will win out over safety.

Additional network scanning and endpoint monitoring is another natural response, but the numbers of devices and the proprietary nature of closed systems will limit this approach.

It’s genuinely unclear what solutions exist for securing the Internet of Things but one thing is certain: cybersecurity professionals entering the field today will face the question as a matter of ever increasing importance over the course of their careers.