Your forgotten IoT gadgets will leave a disastrous, toxic legacy

With IoT devices increasingly a part of the real, physical world, something needs to be done to avoid disaster in the event of a cyberattack against connected systems.
Written by Danny Palmer, Senior Writer

Video: Rapid IoT creates security headache

Billions of Internet of Things devices exist in offices and homes across the world, including everything from sensors and home assistants to connected children's toys.

But many producers of IoT devices have rushed out products with almost no thought put into cybersecurity. Not only has this resulted in data breaches as a result of IoT products with weak security, but also ended up with connected devices being roped into botnets and used to carry out DDoS attacks, or being used as an entry-point for hacking into the wider network.

While the idea of IoT devices being exploited to carry out devastating cyberattacks might seem far-fetched, it's worth remembering that technology moves forward at an alarming rate: IoT devices distributed in the next few years could still be operating in ten or twenty years -- with no way of receiving security updates.

That means bugs and vulnerabilities could come to light in that time which just can't be fixed due how the technology is built now.

"Ten years ago iPhones were on the periphery and Windows XP was bleeding edge. Now we're looking at Windows XP being so vulnerable. It's not just lack of updates, the fundamental design from an engineering standpoint is weak. It in no way represents our understanding of security. That was just ten years ago," says James Lyne, global security advisor at Sophos.

A decade ago, smartphone producers may not have thought that their devices could be used by criminals to distribute malware or illicitly used to make money, but they are, and IoT devices could go the same way in the near future.

"Five years from now could IoT devices represent a new channel for attacks or monetisation acts? It isn't far-fetched. It's tangible," says Lyne.

Our homes are already filled with connected devices, from health monitoring tools, kitchen appliances or IP cameras, to children's toys and gadgets. But useful or not, products shipped in 2017 have the potential to become problematic down the line, something which could cause issues in the physical world as well as the online one.

Many of the embedded devices of today can't be patched easily, if at all, and that's going to cause problems in the future when hackers find vulnerabilities in them and exploit them for their own gain -- and nobody wants to deal with a pacemaker infected with ransomware.

"You have devices like that baked into cities, building, bodies where the expectation is 20 years of longevity. That's a total engineering issue for us to overcome," says Lyne.

Even if IoT vendors get their act together and develop devices which can easily receive software updates, will users apply them? It's relatively simple to apply patches to operating systems -- but still people choose not to, leaving them open to cyberattacks which vendors have issued updates to protect against.

If people can't be bothered to a patch their laptop or their phone, will they make the effort to apply patches to every IoT device in their home? Will they dig around under the sink to detach and update a pipe monitoring device? It seems unlikely.

Worse, even if they know their product is vulnerable to attacks -- or even if it's already been roped into a botnet -- they may not care because it isn't causing damage to their own home or the infection isn't preventing them from using the device.

"I had a really eye-opening experience during Mirai, because we were fingerprinting some of the devices that were launching the denial of service attacks and figuring out where they were and we were actually able to locate some of them so precisely we could call owners up," says Mikko Hypponen, chief research officer of F-Secure.

He managed to phone up some of those who'd had their devices infected and roped into the Mirai botnet being used to carry out a global DDoS attack, which took out high profile online services including Twitter, Netflix and the PlayStation Network -- but they didn't seem to be bothered, because the device still worked as it was supposed to for them.

"Their heat pump works, they can use it, it isn't breaking down because it's carrying out a DDoS attack. So for them there's no problem and the fact their heat pump is causing problems for someone else -- they don't care, they're not going to fix that, they're not going to spend money to fix a problem that's not affecting them," he says.


As homes fill up with internet-connected devices, what will it take to ensure they can't be turned against the user or exploited for cyberattacks?

Image: iStock

Despite the global impact of Mirai, Hypponen thinks the lack of reaction means it wasn't "the wake-up call we needed" and that something bigger will likely occur before IoT security is taken seriously. That could be an IoT-enabled attack which has real-physical consequences.

"Everything is becoming a computer in every home -- everything that's connected to electricity will be connectible. When we have conflict crisis and war in the future, this is going to make it so much easier to disable a whole nation," says Hypponen.

Hackers knocking out Ukraine's power grid has demonstrated how a cyberattack can be used to disable infrastructure -- and it's possible that IoT devices will provide attackers with additional ammunition for cyberwar.

"If you really want to look at nightmare scenarios, you'd come up with ways of attacking devices in every household in a country and make them catch fire; starting a fire in every household in a nation in the same minute. The war would be over immediately, no fire brigade would be able to handle anything like that," he says.

Yes, such an attack might seem like a fictional concept right now - but 15 years ago, a carrying around a high-powered computer in your pocket did too, let alone that it could be exploited as a cyber weapon.

It's why organisations, security providers, regulators and governments must come together to think about how IoT products are built and how to futureproof them - otherwise those products forgotten products could return with a vengeance when it turns out they are insecure and can't be patched against attacks.

"I think we're at a real tipping point right now when it comes to physical devices, connected devices and security," says Rik Ferguson, vice president of security research at Trend Micro.

"We've got a chance to change the landscape now, to begin enforcing standards, and as a security community get involved with the hardware manufacturing community, otherwise we're going to be left with this toxic legacy of connected devices that won't go away for a very long time,"

While the idea of hackers being able to infiltrate your internet connected kettle or toaster might not sound particularly scary to the average person on the street, there's the very real prospect that they could be soon be sharing cities with self-driving cars.

They're internet connected computers on wheels and if any vehicle is allowed onto the roads with security vulnerabilities which allow them to be remotely hacked and used to cause accidents, that's going to result in consequences, not just to property, but to people.

"This is the kind of stuff that if we don't concentrate and think about the real world physical ramifications of what security means, that's where we're going," says Ferguson. "It's no longer about breaking into machines and stealing information - our interconnected world and our internet connected humanity are at risk".

The US government and the European Union are among those attempting to regulate the Internet of Things, but lawmaking can be a long, drawn out process.

It could be years down the line before product manufacturers need to adhere to safety regulations for IoT security like they do for fire regulations for many of the same products. By the time the law comes, we could already have a legacy of tens of billions of IoT devices in the world, large percentages of which could be ripe for attackers to exploit.

It might seem far-fetched that such devices could be used for devastating attacks now - but the cyber criminal ecosystem evolves quickly. IoT manufacturers need to ensure the problem is fixed sooner rather than later.

Previous and related coverage

How SMBs can maximize the benefits of IoT initiatives [Tech Pro Research]

IoT isn't just for the big players-in fact, smaller companies often have better agility to implement practical initiatives for both internal operations and commercialized solutions.

Internet of Things security: What happens when every device is smart and you don't even know it?

When IoT devices are everywhere, the security headaches just get worse.

IoT devices will outnumber the world's population this year for the first time

But analyst firm Gartner has slashed its 2020 forecast for Internet of Things devices by 20 percent, or five billion units.


Editorial standards