Your Fridge Is Spying On You. And Your Car. And Your Smart Speaker
On July 20, 1969, Neil Armstrong put forward “one small step for man, one giant leap for mankind” and the moon became a little less distant. The guidance computer on the Apollo 11 spacecraft that took him there had 4KB of Random Access Memory (RAM), 72KB of Read Only Memory (ROM) and ran at 0.043 MHz. To put those numbers into perspective, the typical high-end smartphone today has one million times the RAM, seven million times the ROM and runs 100,000 times faster.
These computers, supercomputers by the standards of a generation back, are in almost every piece of technology we use today. That includes, in addition to the obvious laptops and tablets, items like watches, cars, thermostats, speakers, and yes, fridges. Combine that with their ability to connect to the Internet, and the Internet of Things (IoT) era is truly upon us with 12 billion connected devices today and 127 being added every second. By 2025, there are expected to be more than 75 billion IoT devices worldwide.
While daily life will undoubtedly become more convenient, it will also be less secure. Not only will this encroachment of technology in every aspect of our lives result in the collection of more and more high-value data, the proliferation of IoT devices will lead to significant expansion of the attack surface. In other words, malicious actors will have more data to steal and more places to steal it from. And it’s just not the unauthorized disclosure of information that will increase, but also the potential of more assets being rendered unavailable, as in users being locked out of computers or hackers rendering them inoperative (“bricking” them). Recent news on hacked IoT cameras and the indefinite storage of data by smart speakers don’t exactly engender confidence in this technology with respect to security and privacy.
I believe there’s an interesting behavioral issue at play here as well. We’re aware that smart cameras are seeing us and smart speakers are hearing us continuously, even though we may forget it on occasion. However, we are less conscious of the private information we’re sharing via smart devices like thermostats (“what times I’m at home”), cars (“where do I travel”) and fridges (“what do I eat”). Therefore, while we may be cognizant of implementing security controls on our smart cameras and smart speakers, we may not be as diligent with our smart thermostats, smart cars and smart fridges. Case in point: manufacturers’ default passwords being used for thousands of refrigeration and air-conditioning units worldwide.
Using default passwords is a step below using the same password for everything. In the case of hacked IoT cameras mentioned earlier, the manufacturer claimed that devices had been accessed using credentials compromised elsewhere. There’s a security lesson for you: rotate your passwords regularly and don’t use the same password for everything; consider using a password manager to keep track of all your passwords. Also, while this particular manufacturer was found to have a host of security issues, their recommendation on enabling two-factor authentication (2FA) still holds water. That’s another security lesson right there.
Here are some general recommendations on managing security of IoT devices:
-
Be aware of what data is being collected; disable smart features if not needed
-
Follow good password practices – different, strong passwords rotated regularly; enable 2FA
-
Enable security notifications whenever possible, such as new connection alerts
-
Follow manufacturers’ guidance on configurations
If you’re looking for additional information, a NCC Group consultant takes a deep dive into the security impact of IoT devices in this white paper.
You can read all our other guest blogs throughout the week here.