The article tells us the story of the IoT (Internet of Things) and, while recognizing its benefits, highlights a frequently overlooked challenge regarding it: security.
The IoT is a term that is gaining more and more presence in our lives. An acronym for Internet of Things, the IoT describes the network of physical objects enhanced with software through which data is shared among said objects with other devices and networks. From household appliances to industrial tools, this network contains a wide array of devices and is rapidly spreading: it was estimated that there were 22 billion IoT-connected devices in use all over the world by the end of 2018, a number that is forecasted to go up to 50 billion by 2030.
Everyday objects connecting to the Internet may sound futuristic, but it is not a new concept. The first IoT device was actually invented in the early 1980s when a group of Carnegie Mellon students installed micro-switches into their campus Coca-Cola vending machine so that it could report how many Coke cans were left in the machine and whether the sodas were cold. Developments accrued in the 90s, as John Romkey connected a toaster to the Internet for the first time in history, and a group of Cambridge students programmed the first web camera prototype to take photos of their computer lab’s coffee pot three times a minute so that they could remotely confirm whether coffee was available. In 2000, LG Electronics introduced the first refrigerator that could connect to the Internet. With this appliance, consumers could do their grocery shopping online and could even make video calls.
The evolution of IoT technology has continued to accelerate recently, thanks to advances in related technologies. The decreased cost and increased reliability of sensors, the increased accessibility of cloud platforms, and progress in Machine Learning (ML) and Artificial Intelligence (AI) are rendering IoT devices omnipresent.
The IoT obviously brings benefits to both businesses and consumers. More effective supply chain monitoring, enhanced efficiency through the smart automation of certain tasks, and facilitated real-time and historical analytics thanks to the data collected by IoT tools have benefited businesses, while consumers can now enjoy smart energy saving and increased comfort both at home and in the office. IoT devices collect data about the production patterns of companies and consumption patterns and lifestyles of consumers, and share them with other devices, eventually making smart choices and adjustments for increased productivity or convenience.
But…how do we know whether this data stays home?
The IoT surely collects valuable information. On the producer side, the data found may serve rival companies well , whereas on the consumer side, the data collected, on an aggregated scale, may benefit all companies trying to create well-tailored products. And data on a particular individual may also, well, be helpful to a burglar or a conman. Therefore, it is important to prioritize security while adopting IoT devices and be mindful of the security challenges presented by this rapidly developing technology.
At present, many IoT devices are vulnerable to malware and hacking, partially due to weak passwords: default, easily guessable or hard-coded credentials make hackers’ jobs quite easy. The issue with IoT devices is that they are released onto the market with very simple default passwords, which users tend to not change or, even when they do, to give all devices the same password.
The Mirai botnet incident of 2016 tells us how dangerous it can get. A botnet is a network of internet-connected devices or “bots” that hackers create after breaking into devices. With the help of the botnet, these hackers can conduct cyberattacks. They traditionally targeted PCs but since those are now much more secure than they were in the past, other IoT devices that lack the same level of security “have become the new black”. What Mirai (the Japanese word for “future”) did was scan the Internet for open Telnet ports, and then try logging in by utilizing 61 commonly-used default username and password combinations. The hackers were able to hack into and connect many IoT devices, showing that many users go with default passwords when it comes to these devices. Then they carried out distributed denial-of-service (DDoS) attacks with their botnet on the Krebs on Security site and the French webhost OVH. After the attack, those responsible posted the code for Mirai online, making way for copycat or similar attacks. About a month later, the code was used for taking down several frequently visited websites such as GitHub, Twitter, Reddit, Netflix, and Airbnb. Today, the most active botnet on the Internet is Mozi, a Mirai-type network active since 2019.
Sophisticated, device-specific passwords may provide an extra layer of security but they cannot solve security issues stemming from the manufacturer’s side. IoT devices are not provided with security updates as frequently as PCs or mobile devices, which render them vulnerable to cyberattacks over time. There are also interface problems, such as poor or nonexistent encryption, authentication, and authorization. All these put the devices and data of users at risk.
PCs have become more and more secure over time, as did mobile devices. Therefore, it is not unreasonable to expect that the same will happen for other IoT devices. However, given that manufacturers are still trying to address the security challenges, it is important to acknowledge the risks of using such devices and to obtain as much information as possible before buying one.