Internet of Things: should we be afraid ?

It is a fact: we are wholly immersed in an ultra-connected world. The new connected objects are here to organize, simplify and restructure both our personal and professional lives. According to Juniper Research, there will be more than 50 billion connected objects in our everyday lives by 2021 compared to 21 billion in 2018.

All activity areas will be impacted by these changes: from the industrial and services sectors to medicine and finance. Each industry comes with its specificities and follows precise rules regarding availability, integrity, confidentiality, and traceability according to how critical its activities are. Connected objects disrupt such established rules by spreading information beyond the local scale, turning formerly isolated devices into points of a network, and making smart systems out of sequential or deterministic ones.

Unfortunately, security is usually overshadowed by functional features and business priorities, which focus on reducing the time to market of the new product. In this context, although equipping the device with a dedicated chip to enhance security and compliance with current regulations could be considered a competitive advantage, it is more often than not seen as an obstacle.

Apart from being subject to corporate espionage and reverse engineering in order to copy them, connected objects can also become unexpected attack vectors. The two following examples hit the headlines, showing how easy it is to exploit the vulnerabilities of these objects to launch widespread attacks.

First, we can talk about how the virus Mirai generated an unprecedented denial of service on the OVH and DynDNS infrastructures. By taking control of connected objects (IP cameras in this case) and using them to launch attacks on unsuspecting users, this cyber-attack paralyzed a whole portion of the web for several hours on a worldwide scale. As it happens, it is easy to install and use IP cameras: although the camera and the smartphone are connected to two distinct networks, only three steps (click, flash, enjoy) are required to pair them. A default password and direct exposition to the internet make it possible for hackers to take complete control of the target object and turn it into a ‘zombie.’

In the second attack, an American casino was hacked from the inside using an aquarium thermometer connected to the internal network. The remote firmware update service via Bluetooth made the object an easy target, and hackers, who can easily obtain the required equipment online, only need to develop a chunk of microcode and exploit the vulnerability to send it to the object in order to take control of the infrastructure.

So, should we fear connected objects? Is the TV show Black Mirror right to warn us about them?

The answer is no; we just need to be aware of the risks. Because these devices store a considerable amount of private information, it’s important that users read the general terms and conditions and favor a provider that cares for their data (one that enforces the rules and follows security procedures) when choosing between two similar connected objects.

It’s complicated to know whether every object we buy is safe, but the two following rules can guide us:

  1. If everything is too simple (3-step connection, accessibility from different networks, easily guessed default password), then the level of general security isn’t likely to be high.
  2. If the service is really useful but completely free, then it means you are indirectly providing personal data that will be fed to a customer database.

Before the industrialization of these objects, onepoint assesses their physical and software security, as well as of those security aspects related to internal and external communication, from the point of view of both the hacker and the competitor.