The Looming Disaster of the Internet of (Hackable) Things
We're letting easy-to-hack internet-connected devices take over the world, and we have no idea how bad that could turn out.
Image: Kitron Neuschatz
Last January, walking through the seemingly endless showroom at the gadget bonanza known as the Consumer Electronics Show (CES) in Las Vegas, I saw a glimpse of what's to come. Big multinational brands as well as small startup gizmo-makers were showing off their latest creations in an attempt to sell us their products—and the future.
This year, the future, as it has been for the last couple of years, is focused on the internet. But now, specifically, it's about enabling every object you can imagine with web capabilities—the so-called Internet of Things.
Everyday appliances like toasters or electrical sockets made sexy and "smart." Fridges, once simply meant to keep our drinks cold, can now suddenly send us an email when our milk is rotting. Clunky thermostats now have high-res screens and can be controlled from halfway across the world.
There are already more than 6 billion "things" estimated to be connected to the internet, and there will be an estimated 20.8 billion by 2020. What you don't see at CES, however, is the darker side of the unstoppable proliferation of the Internet of Things.
Last month, hackers used a massive army of hundreds of thousands, perhaps even more than a million, hacked devices—likely internet-connected surveillance cameras and DVRs—to flood the website of the independent security journalist and blogger Brian Krebs with a reportedly record-breaking amount of bogus traffic. It was an attempt to take the site down.
You might not care if your appliances take other people's websites down. You will probably care, though, when your $3,600 smart fridge leaks your Gmail password.
This type of attack is, essentially, a form of censorship powered by our own gizmos enlisted in zombie armies. The whole scheme relied on the fact that hundreds of thousands of these devices get sold with little to no security.
In the case of the hacked cameras and DVRs, they all had easy-to-guess passwords such as "123456" or, yes, "password." Their owners are unlikely to even know about this out-of-the-box vulnerability, and the manufacturers, who are spending all their time developing the next model rather than maintaining the old ones, probably don't care because they have nothing to lose—the Internet of Things has no anti-hacking safety standards or laws to comply with.
But there are other dangers, too. If a hacker breaks into your internet-connected toilet-paper holder, which holds little to no valuable information, he or she can then more easily target your computer, which is on the same WiFi and is more likely to have interesting information such as Social Security numbers or bank passwords.
The famous saying that "the internet was not built with security in mind" is a dogma in the world of hackers and is largely accurate. It's becoming clear we can't afford to think the same way while building the Internet of Things.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.