Connected appliances like the ones in CNET’s smart house in Louisville, Kentucky, are made with ease of use in mind. You’ll need to do the work yourself to protect them from hackers.
It’s nighttime in Saudi Arabia, so we can’t see much when Aamir Lakhani hacks into a video stream. But the fact that we can see the video stream at all is startling.
Even more surprising, we are viewing it from the conference room of cybersecurity company Fortinet, 8,100 miles away in Sunnyvale, California.
Lakhani, a security researcher at Fortinet, accomplished the hack without any coding skills, though he has those in spades. He merely went to Shodan.io, a website where anyone can find a huge trove of Internet-connected devices, from baby monitors to cars, cameras and even traffic lights.
He calls the site the “search engine for the Internet of Things,” and it allows him to hack into the video stream, picked at random, just by entering word “admin” for the camera’s username and password. That is the flip side to the promise of the Internet of Things, which is shorthand for the notion that anything and everything will be connected over the Internet.
Billions of sensors will soon be built into appliances, security systems, health monitors, door locks, cars and city streets to help manage energy use, control traffic, monitor air quality and even warn physicians when a patient is about to have a stroke. The revolution has already started. Market forecaster Gartner expects 6.4 billion connected devices will find their way into our lives in 2016. This shiny new world will be on full display next month in Las Vegas at the Consumer Electronics Show, the annual showcase of all things tech.
So what could all these connected devices possibly lead to? Mayhem, according to Tanuj Mohan, executive and co-founder at connected lighting company Enlighted.
“Things are designed to be used by humans” and not computers, Mohan said.
When computers hold the reins, criminals can grab control in unexpected ways. That connected coffee maker in the office — it wouldn’t be much of a stretch for a hacker to put it into a continuous loop and brew coffee throughout the weekend, flooding the office, Mohan said.
Mohan’s company monitors lighting systems in large commercial buildings to help his customers improve energy efficiency. Enlighted also makes sure intruders don’t take control of the lighting.
“If I turned them on and off 10 times per second on Sunday, none of the fixtures would work on Monday,” Mohan said.
Mayhem could hit at home, too. Tech-savvy thieves could look at the settings of your connected thermostat, lighting and security system to figure out you’re away on vacation. Can you say burgle?
There’s also the threat that hackers could “land and expand,” using your connected device to hack your computer. Research into the Fitbit fitness tracker, which pairs with computers over Bluetooth, points at how it might be done.
Fortinet security researcher Axelle Apvrille in October released research suggesting she could infect a Fitbit with code that could later sneak onto a computer. Fitbit disagrees. Fitbit security researcher Marc Brown said this month that his company has tried to complete an attack on a computer from its product, but cannot.
Still, the scenario shows that hackers could eventually use your connected refigerator to penetrate your home system, said Mohan, who warns that manufacturers aren’t paying close enough attention to the problem.
“They’re not yet aware of how everything they build can be exploited,” he said.
There’s an old saying that we’re only as safe as the weakest link in the chain. That saying has real meaning with the Internet of Things, where one weak link can bring down a chain of connected devices.
Remember how easily Lakhani took control of that video camera? He said that gadget makers are partly to blame because they want to make their products as simple to set up as possible. That often means using default passwords like “admin” and encouraging users to log in to their devices through unsafe web accounts.
“They all have to make it easy. That’s the problem,” Lakhani said.
There are steps you can take to make your devices safer once you get them out of the box. If you can change the default password, do it. You may also be able to set up your connected “things” so they’re accessible from only your private home network, advises Lakhani. You can still log in from afar via a virtual private network. It takes some extra steps for you, but that means it would also take extra steps for a hacker.
So yes, the Internet of Things holds the promise of lower energy costs, more convenience and healthier lives. But for everything that touches everything we touch, it’s smart to take a “safety first” approach.