It’s definitely a concern. Recent events have made two things excruciatingly clear:
- We’re connecting more and more non-traditional devices to the internet.
- Security on those devices is, apparently, abysmal.
So how do you protect yourself from being part of the problem? Well, as with so many things, there’s no clear or absolute answer – but I do have a couple of ideas.
The internet of things
The term that’s been flying around of late is “the internet of things”.
It’s nothing special, really. It’s not another network, it’s not something super secret or super complex. In fact, you may already have devices that are part of it.
All “the internet of things” really refers to is non-traditional devices connected to the internet. And by “non-traditional”, I basically mean anything you wouldn’t think of as a computer.
That’s really all it is.
Your PC, laptop, smartphone, and tablet are all things we conceptualize as computers. Even your printers and gaming consoles are easily understood to be computers on the inside. Naturally, your router and other networking devices are also what we’d call “traditional” things connected to the internet.
On the other hand, so-called “smart” TVs, security cameras, light switches, light bulbs, refrigerators, washing machines, and perhaps even toasters1 are being connected to the internet for a variety of purposes. Whether you think it’s the best thing since remotely-controlled sliced bread, or the silliest thing you’ve ever heard, the internet is being used in new and novel ways for all sorts of things we’d never considered before.
That whole “never considered” thing is actually part of the problem.
The (lack of) security of things
Who would want to hack a light bulb?
That appears to be exactly the kind of thing that appears to be happening in recently distributed denial of service (DDOS) attacks.
Hackers aren’t interested in playing with your lighting. They are interested in using the tiny computer inside your light bulb (or other internet-connected smart device) for their purposes elsewhere on the network.
Computer in your light bulb?
Indeed. The easiest – indeed, the cheapest – way to make a device connect to the internet is through a general purpose interface that is, for all intents and purposes, a computer. It may not run Windows (though it might be running Linux), and it may not have as many functions as your desktop computer, but it’s a computer nonetheless. The protocols used to connect to the internet, as well as interface with the device itself, are complex enough that a fair amount of computing power is required to make it happen.
And as we all know, computing power is dirt cheap these days.
Sadly, security is not. Security requires forethought. What we’re finding is that security is often an afterthought.
What can you do?
Being behind a router is the first step. The problem is, it’s probably a step you’ve already taken. In fact, it’s probably a step most people have taken, and yet internet-connected devices are being hacked on a regular basis anyway.
The single most important step? Change the default password on every internet-connected device you own. Apparently, a large number of hacks have been simply that: attackers discover the device through some means, and are able to log in to the administration of the device, because the owner never changed the default password.
In this case, it seems just about anything other than the default will cause attackers to move on, looking for a vulnerable device elsewhere. Use a strong password anyway, to future-proof yourself from the day when hackers get more aggressive. It’s very likely, for example, that devices do not have brute force log-in protection, and could allow an attacker to try to log in using every possible password.
What you can’t fix …
What you can’t fix is bad design2.
There are so many ways these inexpensive internet-connected devices can communicate, there’s a near endless supply of things that could go wrong.
For example, many devices use unencrypted connections to reach out to the internet, since https takes more work. That means it’s possible for hackers to see, and perhaps intercept, traffic to and from the devices behind your router. It’s possible that a single compromised device could expose other devices behind your router. Or it could mean nothing at all, depending on the device.
Unfortunately, aside from paying attention to news reports listing specific brands, devices, and models, there’s no practical way to know if your devices are involved.
Aside from disconnecting it from the internet, it’s almost impossible to know whether or not your refrigerator is helping to take down websites.
What I do
As geeky as I am, I have surprisingly few “internet of things” things. Don’t get me wrong – I have many devices connected to the internet, but they mostly fall into the category of “traditional” devices. Computers, laptops, mobile phones – even Amazon’s Echo – all qualify as more-or-less full-fledged computers.
The one exception is that I do have so-called “smart” TVs. It didn’t take long for me to feel that they weren’t smart enough; in the interest of preserving internet bandwidth – for a long time a scarce commodity here – I left them disconnected. I notice no function or feature loss by using them without connectivity.
While some of the features and functionality of newer devices is appealing, it’s not appealing enough – to me – to make it worthwhile to just buy something because it can connect to the internet. If I were building a home from scratch, I’d probably build more in, but as it is, each device is a case-by-case basis, and the connectivity just doesn’t add that much value to the way we use our devices.
That may change over time, as we learn new ways to make use of that connectivity. Hopefully, in the meantime, we’ll also learn how to make them secure.
What is frustrating
What’s particularly frustrating for internet technologists is that we’ve been here before.
All the lessons we’ve learned over the years from technologies like Bluetooth (originally very insecure), wireless keyboards, and even the Wi-Fi protocols we use every day have been, for the large part, ignored by the manufacturers of these new internet-connected devices. They opted for cheap and fast-to-market over keeping things secure3.
So we learn the lessons again.