Devices like smart thermostats, speakers, and doorbells might be more functional than their non-internet-enabled designs, but are they smart enough to protect themselves or the network they are on? According to a survey released in August of 2022, there were about 8.6 billion smart devices – or Internet of Things (IoT) devices – connected to the internet in 2019, 9.7 billion in 2020, and 11.3 billion in 2021. As more people bring smart devices into their homes, they might not realize the risks to security and privacy that come with them.
For example, in October 2016, a massive army of infected smart devices took down Amazon, Twitter, Reddit, GitHub, Netflix, and other sites in a distributed denial-of-service attack. The smart device army was amassed using the Mirai worm – a piece of malware. Mirai scans the internet for smart devices running a stripped-down version of Linux and checks to see if the default username-and-password combo is unchanged. If both tests pass, Mirai can log into the device and infect it. Aside from Mirai, what makes smart devices so insecure?
For one thing, smart devices are often much less complicated than personal computers or smartphones since they are built to serve a limited range of use cases. Something like a smart garage door only opens and closes, so it requires little processing power. Personal computers and smartphones have powerful processors that can support advanced encryption and dedicated security chips, but smart device processors are often too simple to host these protections. Instead, smart devices often operate on designs that are as cheap as possible for their use cases. Furthermore, software for smart devices is often rushed to keep costs down or meet a release date. Sometimes the devices are so simple that default passwords are hard-coded into the device and not chosen at random. In this case, the user cannot change the password, so an attacker has a significantly easier time guessing it.
The most surefire way to avoid the security and privacy issues of IoT devices is to avoid buying them in the first place; however, in some cases, it is not an option. Most people who want the peace of mind afforded by security cameras lack the knowledge to create a DIY setup. Besides, many markets – like baby monitors – have few non-smart versions of their products. Until security and privacy become standard in smart devices, here is what you can do to mitigate risk: research a device’s security before buying it, find guides on what settings to change to plug security holes, and connect smart devices to a guest network on your router.
Unfortunately, our technology regularly evolves faster than it is regulated or safeguarded. For example, as of the writing of this article, only four states have even proposed autonomous vehicle cybersecurity legislation. Next year, General Motors will unveil its next iteration of its “hands-free advanced driver-assist system,” which is advertised to cover “95 percent” of driving tasks (Hawkins, 2022). To keep yourself safe and secure, it is always a good idea to be informed and investigate something before buying it. A great way to stay informed on the latest security trends is to subscribe to newsletters like this one.
Tips for Safer IoT Use:
- Consider if the smart version of a device brings sufficient value to justify the security risk.
- Research a device’s security before buying it. Search “[device name] hacked” in the news.
- If you buy a smart device, consider leaving it disconnected from the internet.
- Disable features you would not use: remote access, voice control, Bluetooth, etc.
- Change the device’s default password.
- Apply updates as soon as they are available.
- Connect smart devices to a guest network on your router.
- Search for guides on additional security settings to change.
Further Reading
- Amazon handed Ring doorbell footage to police without user consent | PBS NewsHour
- Alexa and Google Assistant fall victim to eavesdropping apps – CNET
- Amazon’s iRobot Deal Is Really About Roomba Mapping Your Home – Bloomberg
References
- Hawkins, A. J. (2022, August 4). Forget those Tesla crashes: GM says You Can Trust its autonomous vehicles. The Verge. Retrieved August 9, 2022, from https://www.theverge.com/2022/8/4/23290893/gm-autonomous-vehicles-cruise-super-cruise-tesla
- National Conference of State Legislatures. (2022, July 20). Autonomous Vehicles State Bill Tracking Database. Retrieved August 17, 2022, from https://www.ncsl.org/research/transportation/autonomous-vehicles-legislative-database.aspx
- Vailshery, L. S. (2022, August 12). IOT connected devices worldwide 2019-2030. Statista. Retrieved August 17, 2022, from https://www.statista.com/statistics/1183457/iot-connected-devices-worldwide/
- What is the Mirai botnet? Cloudflare. (n.d.). Retrieved August 17, 2022, from https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/
- Williams, C. (2018, February 5). /Today the web was broken by countless hacked devices – your 60-second summary/. The Register® – Biting the hand that feeds IT. Retrieved August 17, 2022, from https://www.theregister.com/2016/10/21/dyn_dns_ddos_explained/