Tag Archives: Internet of Things

Danger (still) lurks in the Internet of Things (IoT)

CES 2016 has come and gone, and even though I didn’t attend (it’s been 15 years since I have), all of the media, both “mainstream” and “tech”, has gushed over all of the new appliances and devices that are now in the category of what we would call the Internet of Things.  Items like home security,  home lighting, and refrigerators, to name a few.

There are many advantages to having connected appliances and devices, but, as I’ve written before (here, and here), there are threats as well.  Threats that can and will be exploited if unsuspecting users don’t secure them.  Last week (1/13/2016), Dark Reading interviewed the CEO of Trend Micro, Eva Chen, and she described some very real concerns, including two “layers” of security that they offer:

The first layer of offering we do is a security API that will provide [a way] to easily do a virtual patch, to prevent a remote attack, for example . . . the third layer is cloud: IoT cannot do anything without the cloud.  Most data is sent to the cloud and you will need to have proper protection and make sure the cloud is always available.

In both situations, users are vulnerable, mostly due to their own apathy.  Users often either don’t know how to patch their own machines (and in this case, devices) or have glanced over how to do it and just don’t bother, or if automatic patching is available, they don’t enable it.  When it comes to cloud computing, most users just assume that if their data is “up there”, the provider will take care of security.

If you really want your refrigerator to automatically create a list of items for you to purchase (e.g., you’re running low on milk) and send that list to your smartphone (via Evernote or some other app), you’re going to have to be responsible for your own security.  If available on your IoT device, enable automatic download of patches and updating of your system.  Don’t configure your IoT device with the default password that it comes with, change it to a secure password (and if you don’t know if yours is secure enough, test it in The Password Meter).  Read the users manual to find out how to enable your device’s security yourself.

You want to see, via wireless home security cameras enabled through the cloud, what’s going on in your house?  Fine.  Just practice the necessary security practices to really keep your home and its data secure.

One thing you should do if you’re into the Internet of Things (IoT)

A July 7 article in Computerworld detailed The Internet of Things: Your Worst Nightmare.

Author Preston Gralla described the nightmare that would ensue when all of our home media devices, appliances, and even our electric (well, battery powered) toothbrushes are connected to a wireless access point (WAP) router.  Now I haven’t had the problem of having a WAP burn out (ever), but nonetheless, his article discusses what happens when each device has to be authenticated to the new wireless network.  After reading his article, I’m not sure that I want to be involved with IoT, but more and more of our electronics are.  It’s just a matter of time before most of our household devices are connected to the Internet.

So what’s the one thing you should do if your devices are part of IoT? You need to make sure that your WAP is secured with a nearly unbreakable password or passphrase.  Way too many users bring wireless routers into their home, connect their devices to it, and never enable the WPA2 security.  And even if they do, they usually just keep the default password (here I’m presuming it’s a simple password) or create their own simple password (“password”, “12345678”, etc.).  Full disclosure here – my ISP-provided WAP came with a default password, and I kept it.  But this password has SIXTEEN characters, randomly generated, and includes alphas and numbers.  So given that I determined it was unbreakable (well, www.thepasswordmeter.com did that for me), I kept it.  But I certainly would have changed it if it had been something simple, and if yours is, you should change it, too.

You just never know when your refrigerator is going to get hacked and start melting your ice cream!

So does life imitate art, or is it vice-versa?

A few weeks ago, I guess at the beginning of March, CBS debuted its much-hyped fourth venture into the Crime Scene Investigator world – CSI Cyber.  It didn’t hurt that the lead FBI agent, Patricia Arquette, had just won the Academy Award for Best Supporting Actress, a point not lost on CBS, who made no bones about that in their advertisements of the show once she had won it.  Considering that I enjoyed her performance in NBC’s Medium, and that I teach Cyber Security, I figured I’d give it a try.

Now I’m no media critic, but to me, the characters were not only stock characters from central casting, they just didn’t ring true.  The technical constructs also did not ring true – I don’t know of any code editor that will display malicious code in red.  But the one thing that seemed incomprehensible, even in this day of the Internet of Things (IoT), was that the central premise of the premiere episode was that someone was hacking into bedroom baby-cams in order to use them to kidnap babies.  The “unsubs” as they are known, were hacking in, making it seem like the children were still in their cribs, breaking into homes, and taking the children.  The whole thing sounded preposterous, until . . . wireless baby cam hacked – from Computerworld

It didn’t happen just once an unnamed mom told KTTC. “We were sleeping in bed, and basically heard some music coming from the nursery, but then when we went into the room the music turned off.” At one point, the family faced the camera “toward the wall, and then a few hours later we accessed the Foscam, and it wasn’t facing the wall it was facing the closet.”

“We were able to track down the IP address through the log files within the Foscam software and found out that it was coming from Amsterdam,” the mom said. “That IP address had a web link attached to it.” After following the link, she found, “at least fifteen different countries listed and it’s not just nurseries — it’s people’s living rooms, their bedrooms, their kitchens. Every place that people think is sacred and private in their home is being accessed.”

After searching through “thousands and thousands” of pictures coming from IP cameras, the family saw their nursery. “You can literally just sort by whatever country suits your fancy, and whatever room suits your fancy,” the mom said. “It’s pretty sick.”

So now we have to worry about baby-cams REALLY being taken control of by wireless intruders.  What’s the recommendation to mitigate this bizarre threat?  Like any other device, it has firmware.  And that firmware needs to be updated, because just like any other firmware, security patches are included in it.  So if you have a Foscam baby-cam, you need to make sure that its firmware is current.

But that’s not all. Even if your WiFi router/access point is password-protected (and hopefully, with something more secure than the default password or just “password” or “123456”), the Foscam baby-cam can be password-protected, too.  And it needs to be.  And it needs to be with some password that’s more secure, again, than just a default, or “password”.  Now, it’s true that the current version of the Foscam baby-cam forces the user to change the default password when setting it up, but if you’ve got an older one, older than one year ago, you need to change that password (or perhaps, enable one if it doesn’t even have one), NOW.

Danger lurks in the “Internet of Things”

In How the Internet of Things Opens Your Home to Cyberthreats, the article begins by stating that “Frankemeat” isn’t the only thing you have to worry about in your refrigerator.  And in our ever-connected world, what sounds like science fiction may (or, perhaps has) become science fact.  Maybe you want your refrigerator to send a message to your Android phone that you’ve run out of milk, but there’s a danger in that.  And that is that the same refrigerator that allows you to key in a list of items to purchase at the grocery, and sends it to your smartphone, must have an IP address to do it.  And any device that has an IP address and is not secured can be susceptible to malware.  I’m not sure what a hacker would do with your refrigerator itself, but just think if you posted what you thought were seemingly confidential notes on your refrigerator’s “notepad.”  A hacker could gain access to that list.

The concept of the Internet of Things (IoT) is growing.  More and more seemingly unconnected machines are becoming connected.  You just have to have a new car that allows you to connect to Facebook (forget the safe driving, driving while distracted issues for a minute), or Pandora.  How do you think that car’s console is going to make that connection?  Your car has an IP address.  What if a hacker gets into your onboard computer, and just shuts down your car while you’re driving?  OK, so that’s somewhat unlikely.  But you had to sign into Facebook, even in your car, with your userid/password combination.  And now what happens if a hacker, and especially a criminal hacker, can access that information.  All of a sudden, information that you thought was secure has now been compromised.

So before you start connecting all of your “things” to the Internet, you had better think about how you’re going to secure them.  Or . . . alternately, don’t connect them in the first place.