How your connected home or office is a gift for hackers, criminals, and cyber spies

The Internet of Things needs to learn how to secure devices -- and fast.
Written by Danny Palmer, Senior Writer

Who is on the other side of the webcam -- and what do they want?

Image: Ken Seet, © Ken Seet/Corbis

Internet-connected fridges which order your food, virtual assistants which react to your every voice command, and applications which allow you to remotely control almost every aspect of your home: today's technologies increasingly make The Jetsons look like a prophetic message about the future.

That cartoon offers an idealised view at the world of tomorrow and didn't anticipate some of the problems a space-age society might face: George Jetson was never locked out because the home got hacked, and Rosie the Robot was never out of service after being infected by ransomware.

Installing the latest technology can provide you with many conveniences, but it also opens up additional entry points for attackers, especially as more and more everyday devices become connected to the internet -- and are more and more capable of storing and recording information on almost every event in your life.

"Phones, since they're such a personal extension of your lives, have a lot more security mechanisms than your television, but there's not much difference between your television and your phone," says Dan Wiley, head of incident response at Check Point Software.

"[Your television] may not be mobile, but my God, can you imagine what the television would say about you if the camera was on? About what you're watching, or what you're saying? There's a hell of a lot of information you could gleam off someone in that way."

The idea of your television spying on you might sound far-fetched, but it isn't: manufacturers and advertisers already monitoring viewers and collecting data about them.

"The more technology we bring into our lives, the more opportunities we create for cybercriminals," says James Lyne, global head of security research at Sophos. "The baby monitor might not be interesting to a cybercriminal, but the fact that the baby monitor is connected to the network where you do your internet banking is."

Internet-connected devices which have poor security -- or no security at all -- can provide multiple avenues for hackers to gain access to your network for malicious activity.

"People don't necessarily think about the invasiveness of these devices. People think about malware as going after credit cards, but as we build-in GPS, cameras, and microphones to connect devices which help manage our shopping... cybercriminals will find new and creative ways to monetize it. It's what they do best," says Lyne.

The reason they haven't already done so, he says, is "because it's taken them time to find ways these devices could benefit their political or monetary goals".

For example, although our homes are full of cameras, it still takes effort for hackers to make money out of those images.

"It won't be a [situation] where everyone's microphone or video camera is turned on, but if there's something that's going on that [criminals are] particularly interested in, then there's absolutely reason to go after this kit."

Like any form of cybercrime, hacking a bigger target, even if it means playing a long game, can prove to be much more lucrative. So if internet-connected devices like CCTV cameras, video conferencing systems, and phones enable outsiders easy access to a network, what's to stop hackers conducting corporate espionage against a significant target?

"We had a case where we went into a law firm in London to do a trial with them, and found that someone outside of their business had been live streaming audio and video from the boardroom -- and it had been going on for a fortnight before being detected," says Dave Palmer, director of technology at Darktrace.

And the number of potential attack vectors is only going to grow as more and more devices, such as Amazon Echo and Google Home, watch and listen in to our lives. People are enthusiastically bringing these into their homes and workplaces, but aren't considering -- or worse, are unaware of -- the implications of what information a device which is always listening could hear and transfer to another party, be it the product manufacturers, government, or criminals.

"The funny thing is we're just accepting it and letting it in. If you look at Amazon Echo or Google Home, the amount of information they're already gleaning about your habits and thought processes is pretty incredible," says Check Point Software's Wiley.

Like every other activity, be it malicious or not, technology and internet connectivity are making the ability to spy on people far easier than it ever has been. This is true not just for the likes of the NSA and GCHQ, but for anyone who can remotely break into the infrastructure of one of these ever more pervasive devices.

"[George Orwell's] book 1984 has taught us a lot. I'm not sure how far away we are from that sort of reality, but it doesn't feel like it's too far away," Wiley says.

There's still time to build security into internet-connected devices -- but it must happen soon, or hackers will gain an advantage over us.

"The whole IoT industry mustn't underestimate that they will be in [cybercriminals'] sights and that they haven't been so far by virtue more of lack of interest, not that it isn't possible. Wouldn't we rather as an industry learn all those lessons while they're still toys before they're in the wall and you can't rip them out?" says Sophos's Lyne.

Read more on cybercrime

Editorial standards