The Internet of Things: how safe are your smart devices?

    6 January 2020

    After years of marketing hype, it seems the much-heralded Internet of Things (or ‘IoT’ to those in the know) has finally arrived. From washing machines and heating systems that can be controlled from your smartphone, to doorbells that learn to recognise regular visitors and broadcast suspicious activity, more and more of us are upgrading our homes with internet-enabled devices. But have we stopped to think about the cybersecurity of this new technology?

    One expert isn’t convinced we’ve thought it through. Mikko Hypponen is chief research officer for the Finnish digital security company F-Secure. Having observed the rise in IoT devices, he’s coined a new maxim to alert consumers to their potential dangers: if it’s smart, he says, it’s also vulnerable. ‘It’s a pessimistic rule,’ he tells me during a stopover in London ahead of an industry speaking gig – ‘but it’s a true one too: the more connectivity we add to our homes, the more vulnerability we create.’

    The big risks for IoT devices fall into two broad categories, he explains – both of which are already being exploited by cyber-criminals. The first and more obvious vulnerability is that smart devices might serve as a backdoor into our home networks, allowing hackers easier access to our laptops and smartphones and all the valuable information (from passwords to credit cards) that entails. In cybersecurity circles, the examples are already becoming legendary: like the Las Vegas casino that reportedly had its high-rollers database stolen by hackers who entered the network via a smart fist-tank.

    ‘Smart devices – like fridges and doorbell cameras – are typically the weakest link in your home network’, Hypponen says. It’s a problem compounded by the fact that buyers are rarely encouraged to take even the most basic of safety precautions – such as changing the device’s password from its default setting. Along with other new technologies (in particular cryptocurrencies like Bitcoin that allow for untraceable payments) it’s led to a spike in ransomware attacks, where hackers render computers useless until the user sends them a large sum of money. One of the most famous ransomware viruses was the Wannacry malware, which infected NHS computers in 2017 – apparently at the instruction of North Korea.

    So what can owners do to protect their own devices – and their wider home networks – against attack? One obvious step, according to F-Secure, is to ensure your WiFi network is as secure as possible. That means changing its name (thus making it difficult for hackers to identify its make and model – and, from there, its security flaws), using WPA2 encryption, and ensuring you use a secure password. As for IoT devices themselves, owners should be sure to change the default password and also look at disabling certain features – like Universal Plug and Play – which make it easier for hackers to exploit their vulnerabilities.

    While ransomware attacks are on the rise, Hypponen is also interested in a newer form of cyber-crime which targets the next wave of smaller IoT devices – like toasters and hairdryers – which connect directly to the internet using 5G. Hang on a minute, I ask. Who needs an internet-enabled toaster? Well, no-one, admits Hypponen. Yet he simultaneously predicts that, as internet-connectivity becomes cheaper and cheaper, it will soon be impossible to buy toasters that don’t connect to the internet.

    How so? The reason is that toasters aren’t going online to provide new functionalities to the customer: instead they’ll be providing manufacturers with real-time data on exactly how the device is being used. This kind of mass data is extremely valuable to manufacturers, allowing them to continuously improve their products, but it also makes devices vulnerable to cyber attack – particularly given many use only the most basic encryption and don’t always allow users to change their settings. In the past year, Hyponnen says, he’s seen more cyber attacks on IoT devices than Windows computers.

    Given these devices aren’t usually connected to your home network (they access the internet directly through tiny 5G chips), the aim isn’t to get hold of your personal data. Hackers want to recruit your devices into their ‘botnets’ –  vast swarms of captive IT addresses that can be used to attack internet servers by sending an overwhelming flood of nonsensical data. In 2016, millions of such devices across the world were harvested in the Mirai botnet, which managed to take down websites from Twitter to the BBC, and Spotify to FoxNews. It remains one of the largest cyber-attacks of recent history.

    So what’s the solution? Hypponen says that industry has been slow to act – partly because consumers don’t suffer directly if their devices are targeted. ‘During the Mirai attack, I called one office because we could see that a heat pump in their network was part of the botnet,’ he says. ‘I asked them “do you own this particular model of pump? Well are you aware it’s being used to help take down half of the internet right now?”’. He says that the company was fascinated to hear about the botnet, but weren’t particularly motivated to spend their own money to secure their devices. Of course many more won’t even know the breach has taken place: a study by the Dutch digital security firm Gemalto found that less than half of businesses were able to identify when an IoT device had been hacked.

    Hypponen contrasts the approach taken – by both government and industry – to cybersecurity with the more established approach to consumer safety. ‘If you buy a washing machine, you can be certain it’s not going to catch fire or give you an electric shock as we certify those things,’ he says. ‘But there’s no regulation at all on whether the machine might end up revealing your WiFi password to hackers.’ Though that might be changing: the UK government has begun consulting with experts and industry on how to develop appropriate safeguards, while Finland has just become the first country to introduce a government-backed quality stamp for those products which meet basic cybersecurity standards.

    With around a quarter of British homes already using smart devices – and another 40 per cent saying they would consider buying one in the next five years – it’s an issue which won’t be going away any time soon. Something to keep in mind when you’re eyeing up your new toaster.