Devices connected to the internet of things may present a security risk as hackers demonstrate the vulnerability of smart homes to cyber attacks
Netflix hacker drama Mr Robot is so well researched that if something is possible in the show, you can be sure it’s possible in real life. So the first episode of season two should give at least a moment’s pause to everyone busily wiring their Amazon Dot to the Nest thermostat, Bosch smart washing machine and wi-fi-enabled kettle.
A high-ranking member of the board of the show’s fictional multinational corporation returns to her swanky, futuristic apartment to relax. First, her alarm goes off. Then her projector turns on by itself as a screen descends from the ceiling. She manages to turn these off, then the lights start flickering, loud music bursts from her speakers, water starts boiling and finally the phone rings. No one’s on the line. It’s like a horror film. Understandably she flees.
From science fiction to science fact
In May, researchers at the University of Michigan, working with Microsoft, discovered they could pull off disturbing tricks over the internet, from triggering a smoke detector at will to planting a backdoor PIN code in a digital lock that offers silent access to your home.
“If these apps are controlling non-essential things like window shades, I’d be fine with that. But users need to consider whether they’re giving up control of safety-critical devices,” says Earlence Fernandes, one of the University of Michigan researchers. “The worst-case scenario is that an attacker can enter your home at any time they want, completely nullifying the idea of a lock.”
The spread of the internet of things (IoT) is well underway. This year has seen Samsung debut a fridge that can play music and check the weather, LG announce a wardrobe that steams and smooths your clothes while Intel’s Tiny House includes a touchpad to control music, TV and weather news.
Soon we’ll be finding smart functionality in everything from baby monitors to our jackets. Some 83 million cars with smart functions, as well as 2.3 billion computers, will be sold this year, according to Niall Murphy, chief executive and co-founder of IoT smart platform EVRYTHING.
His company expects to fit some kind of smart functionality to ten billion items of clothing and roughly 20 billion food and drink packaged items. “Unilever sells two billion items every day,” he says. “As this becomes smart, it will make Unilever into one of the biggest media companies in the world.”
But there are serious privacy and security concerns. US director of national intelligence James Clapper recently told Congress that smart homes give intelligence agencies ample opportunity to spy on targets. If your smart TV is watching you, isn’t that literally a scene from 1984?
Mikko Hypponen, chief research officer at security firm F-Secure, sees cars as an obvious target for hackers. In 2015, hackers discovered vulnerabilities in Chrysler’s Jeep Cherokee that allowed for vehicles to be controlled remotely from thousands of miles away and managed to open BMW vehicles remotely.
“Someone’s going to wake up one morning to do the school run and find they can’t start the car until they pay up a serious amount of bitcoins,” Mr Hypponen warns. “The internet of things allows much more visible crimes than we’re used to in the consumer space – and certainly much more painful.”
When it comes to the smart home, security researchers’ biggest fears are the ability to force entry and the chance to engage in hackers’ latest favourite trick, Trojan horse ransomware, which locks down computers completely until a fee is paid, usually in bitcoins.
In February, hackers planted ransomware on Los Angeles hospital the Hollywood Presbyterian Medical Center’s main server and demanded $3.6 million to release the hospital, although chief executive Allen Stefanek negotiated the fee down to $17,000 before paying. “It was the quickest and most efficient way to restore our systems and administrative functions,” he says.
Dave Palmer, technology director at security firm Darktrace, warns: “I suspect we’ll see the automatic targeting of assets that really will affect your day-to-day life and you’d pay to unlock pretty quickly. MRI scanners are often mentioned in healthcare, of course, but we should expect this to happen in the home.
Someone’s going to wake up one morning and find they can’t start the car until they pay up a serious amount of bitcoins
“If traditional spam crooks can pivot to taking out the things that consumers really care about in their household, I think they could make a lot of money. My family would pay to restore the smart TV if it stopped working. So you’ve got a $500 TV, would you not pay the extortion of $100 to get that back under your control?”
Dom Fendius, co-founder of connected clothing company Appaparel, adds: “There’s been lots of talk about a firewall for your home since I first started working in the internet of things 15 years ago. They’re still talking about it now, but there’s very little out there.”
F-Secure does offer one solution called Sense, which routes traffic to all the smart devices in a building through a secure network, extending to mobiles when outside the building. GCHQ’s controversial Great British Firewall may offer protection from international hackers, although white hat hacker Jamie Woodruff explains that it’s easy to hack into any IoT network from within the UK, using simple tricks such as fake wi-fi base stations.