Your coffee pot, refrigerator, thermostat, and in-home security system are all connected to the internet. Or, if they’re not now, they will be one day. Sadly, as the forgotten stepchildren of internet security, these Internet of Things devices are likely doomed to a future teeming with botnets and hackers.
But that doesn’t mean there isn’t hope for the ever-expanding IoT universe — even if it just so happens to be a thin one. While default passwords and poor update policies all contribute to vulnerable internet-connected devices, there are steps that both companies and consumers can take to make sure their security cameras don’t end up crashing Twitter (or worse).
Whether those steps will ever truly secure IoT products is unclear, but they’re at least enough to provide the smallest glimmer of hope in an industry otherwise devoid of much positive news. And it’s a good thing, too, because without that hope the ecosystem is pretty much screwed.
Bad news for IoT
Let’s take the big security news of the week: KRACK. The recently disclosed vulnerability in the WPA2 Wi-Fi protocol means that a determined hacker can both intercept and manipulate traffic between a Wi-Fi-connected device and the web. Even properly configured sytems are currently at risk, and only switching to an ethernet cable hard line (or updating with a presumably forthcoming manufacturer-issued patch) can keep the bad guys out. While it’s true that an attacker needs some physical proximity to a device to pull this specific attack off — thus reducing the possibility that KRACK would be used to create botnets — there are, and always will be, vulnerabilities discovered in existing devices.
And that’s a problem. It’s hard enough to convince people to update their computer and smartphone operating systems, let alone whatever firmware runs their smart toaster. That, plus the propensity for manufacturers to ship devices with default passwords, means that attackers can all too often find and exploit armies of devices for their every nefarious whim. That doesn’t even take into account all the products that are abandoned by bankrupt companies or manufacturers that simply decide they have better things to do than issue patches for years-old smart TVs.
When every IoT device is a potential weapon against a healthy internet, the devices themselves become a threat. And threats are to be eliminated. This very much risks being the permanent status of Internet of Things gadgets, and perhaps the smart consumer is right to be forever wary of camera-enabled refrigerators. However, that doesn’t bode well for the industry and suggests that IoT is structurally flawed.
Thankfully, there are straightforward steps that both consumers and device manufacturers can take to both mitigate the current risk posed by Internet of Things devices and make it so the IoT future isn’t a guaranteed security mess.
The Department of Homeland Security laid out a series of measures that manufacturers can take that, if followed, would go a long way toward securing the world of IoT. Those suggestions include using “unique, hard to crack default user names and passwords,” “using the most recent operating system that is technically viable and economically feasible,” using “hardware that incorporates security features,” automatically applying security patches, and developing “an end-of-life strategy for IoT products.”
When it comes to some of these recommendations, consumers don’t have to wait for device manufacturers to act. Taking measures into your own hands is a sure fire way to make sure they get done, after all.
For starters, when it comes to the default passwords devices are frequently shipped with: One of the first things the new owner of a shiny IoT gizmo should do is set a unique password. This should be easy, and will help keep it out of botnets. It should also, in theory, be simple to update a device when patches for security vulnerabilities are released. Security-focused hardware is out there in the world, too. You can buy routers that are specifically designed to monitor for things like suspicious web traffic.
Perhaps the hardest part, simply from a psychological standpoint, is knowing when to say goodbye. If the company that made your widget goes out of business or stops issuing updates for it, you and your camera-enabled vibrator may just have to part ways. We know it’s sad, but it’s also for the best.
While, in the end, the smartest security move may be to not to fill your home with IoT gadgets in the first place, that’s a hard sell for people who generally like and find value in their various internet-connected devices. And those people deserve device security just like the rest of us (besides, their unsecured stuff can gunk up the internet for everyone else).
The IoT ecosystem has a long way to go before it’s not plagued by zombie coffee makers and easily hackable webcams, but with a serious concerted effort and pressure on manufacturers we may one day get there. Here’s hoping that we do, or the only place your favorite web-browsing toaster will belong is in the dumpster.