In cybersecurity, if it isn't one thing, it's another 14.4 billion things that'll get ya. That's about how many Internet of Things (IoT) devices will proliferate globally by the end of the year, according to some analyst estimates.
As a body, this is arguably one of the most rapidly spreading and poorly secured threat surfaces on the planet -- the joke is that in IoT, the "S" stands for security. And for a category of devices that bill themselves as "smart," it's full of an awful lot of pretty dumb concepts for objects that don't really have any business being connected to the Internet.
For every useful IoT platform running things like remote windmills or saving lives in a hospital, there are dozens more connected toilet seats and water bottles cluttering up the world's networks. What's more, many of even the most useful IoT devices come with a ton of unintended security and privacy consequences due to a lack of security by design, poorly secured connections, and a lack of consideration or care over how the data produced by them is used and shared.
So, in honor of Cybersecurity Awareness Month, the Dark Reading crew thought it was only fitting to roast the types of IoT devices that are most likely to make security and privacy people cringe. We'll poke a little fun and maybe even offer a serious take or two on why these devices are insecure, bizarrely impractical, or just downright creepy in the kind of data they collect about our lives and our businesses.
IoT Surveillance Cameras
Whether they're aimed at city street corners, corporate facilities, or junior's crib, IoT video cameras have already become a mainstay in our connected and increasingly surveilled lives. Even discounting the myriad of privacy concerns raised by videos of people in both private and public spaces being uploaded to the corporate cloud, the security ramifications of IoT cameras are already surfacing.
The rise of the Mirai botnet and the DDoS damage it caused illustrated some of them pretty early in the game, as attackers especially abused the vulnerability in IoT cameras to create a legion of bots ready for attacking systems.
As one paper published in the journal Internet of Things noted, IoT cameras are frequently riddled with flaws that include a "lack authentication of protocols utilized in streaming video and also the encryption of all communication between the camera, applications, and servers."
These flaws not only make Mirai-style DDoS attacks possible but open up targeted attacks that can include the remote takeover of cameras to do anything from spying on kids in the sanctity of their rooms to spying on corporate meetings in boardrooms.
Cue the security sarcasm meter for this one: How about a smart toilet equipped with a connected camera? What could possibly go wrong?
While it might sound like an outrageous setup for a prank comedy show, some scientists really are interested in bringing something like this to the underside of our toilet bowls. They say that our backsides have a biometric print as unique as a fingerprint and they can use toilets like these to identify illness and disease in early stages.
And this is actually only one of a number of iterations of features dreamed up by potty innovators to comprise the vision for smart toilets of the future. Others include toilets that would remotely sift through waste and upload data that can be used to find markers of illnesses, those that can monitor the maintenance state of a toilet, and some that use connectivity for fancy lighting.
A study out in 2019 put a number on it, claiming some one in five security pros fear their connected toilets would be hacked. They're not the only ones to mistrust smart toilets — most people look askance at the idea. In a poll by Thomson Reuters, only half of people surveyed would even be somewhat comfortable using one, and three in 10 people say they'd flat out resist the urge to go on a connected toilet.
Digital License Plates
Digital license plates are the growing new hotness in the IoT hype machine, with companies like Reviver vaunting the benefits of these devices such as smoothing out the process of toll collection, recovering stolen devices, and enforcing license fees for state agencies.
But as the inimitable Bruce Schneier said so succinctly a couple of years ago, "This makes no sense to me. The numbers are static. License plates being low-tech are a feature, not a bug."
Digital license plates open the door to all sorts of security and privacy issues when it comes to government surveillance or tracking, potential stalking by those who manage to hack devices, and plenty of availability headaches when device malfunction causes the plate to fail to show numbers that don't need more than a piece of metal to be effectively displayed.
And yet, here we are, with California just this month making a digital plate pilot program permanent and Colorado becoming the fourth state to roll them out to citizens, with many more states exploring their options.
"Hey, Smart Speaker, tell me the cybersecurity risks of putting an always-on microphone into my home or place of business that connects and sends recordings to someone else's cloud?"
Smart speakers from the likes of Google, Amazon, Apple, and many other manufacturers in between may offer a ton of whizbang features that are irresistible to many — even sometimes to the most cynical security people. Anecdotally, we've run across plenty of security pros who admit they couldn't help themselves in getting a Dot or a Nest. But what we get from being able tp control lighting with a simple voice command we give up in the form of added security and privacy risks.
Smart speakers are a potential risk for everything from creepy eavesdropping by vendors to hyper-targeted ads to consumers to being hijacked by malicious actors to spy on people and businesses.
Smart Kitchen Appliances
If you thought Patch Tuesday sucks in a corporate security job, imagine being the parent of a baby about to warm up a bottle who finds out a bad firmware update bricked their microwave. A decade ago this kind of scenario might have sounded far-fetched, but it's increasingly becoming common.
This spring, a fat-finger incident from an admin at microwave manufacturer Electrolux caused the company to push out a bad over-the-air firmware update to microwaves across Europe that made them think they were steam ovens. It broke devices to the point where the manufacturer had to physically send technicians to fix them.
Smart kitchen appliances like ovens, microwaves, and refrigerators may not necessarily be the huge enterprise risk that other IoT devices might be, but the above situation warrants asking the appropriate risk assessment question, "Are the rewards really worth the risk for making these appliances 'smart' devices?"
How many years old were you when you realized that the robotic vacuum that roams people's houses and offices cleaning up the dirt is also mapping the layout of those spaces — and dishing that digital dirt back to the vacuum vendor's cloud? Many people would be exactly today years old about this one, as most don't think too deeply about how a vacuum does its job.
But it's the truth, and just a couple months ago, Amazon paid a mint for one of the biggest companies sitting on this kind of detailed data about people's physical spaces. Amazon purchased iRobot, maker of the Roomba, for $1.7 billion. This is yet another IoT data collection arrow in Amazon's massive quiver, and many privacy advocates are growing increasingly alarmed.
"This is not just about Amazon selling another device in its marketplace," Robert Weissman, president of the consumer advocacy group Public Citizen, told The Guardian when the deal was announced in August. "It's about the company gaining still more intimate details of our lives to gain unfair market advantage and sell us more stuff. The last thing the world needs is Amazon vacuuming up even more of our personal information."
As a class of devices, smart locks sound pretty cool and convenient to the typical person. How nice would it be to open up the door from the driveway when you know you're going to be bringing in the groceries, or to share a time-limited passcode with the cleaning company, right? But these devices also pave the way for scenarios that would make any security-conscious person's hair stand on end.
These devices are notoriously insecure — with research uncovering flaws in firmware, authentication, communication protocols, and more that make them vulnerable to hacking by stalkers, burglars, and more. Some recent examples of that research include exhibits A, B, and C amid a whole alphabet of growing research.
What's more, when these locks don't have a key and are only operated digitally, they have the same resilience problem that so many IoT devices have when disruptions like Internet outages arise. Case in point was when a widespread Internet outage for Canadian provider Rogers made it impossible for a major concert venue — one incidentally sponsored by Rogers — to open the doors for a concert this summer. Also affected at the venue were other IoT devices like ticket-processing machines and concession point-of-sale machines.