There have been a lot of articles in recent times about the poor security of
internet-connected devices, a.k.a the Internet of Things (IoT).
In earlier times, this just meant routers and wireless access points, but now
it has expanded to include all manner of network-enabled things like security
cameras, toys, appliances, and household automation including light bulbs of
all things. The manufacturers of these devices are adding this capability
because it sells. A lot of people like the cool factor of being able to
control and interact with these devices from their browser or some app.
Or maybe it's a TV or toy that sends data back to a central server.
But what has not gotten the attention it deserves is the fact that each one
of them is now a little computer on the internet and just as reachable as
anything else. With no or poorly implemented security, they can be easy
targets for hackers and prime candidates to be in someone's botnet.
They can spit out DDoS packets or spam just as easily as any other computer.
You could try to address this from either or both sides of the fence.
One might say that the manufacturers should put more thought and effort into
security. But these devices tend to be low-end, commodity items. If the
manufacturer spent the additional resources, the price per device would
have to go up and would quite likely be non-competitive with their peers.
How many consumers are going to pay twice the price because this light bulb
is "more secure"? It's just a light bulb...
The other problem is consumer education. Most people are not computer
enthusiasts, let alone security experts. They just want the cool device
they can control from their tablet or phone. It is unrealistic to expect
that you could convince the majority to become more educated, subscribe to
notices for all these devices and keep up with security upgrades, assuming
those are even made available in the first place (see above).
Some of these devices just work out of the box and do not require any extensive
configuration. So most people are unlikely to go looking for any other settings
like security, assuming they're even there to begin with. And if they are, it
may have a poorly designed and hard to use interface. And even for the person
who is aware and wants to secure them, does the manufacturer make any updates
available? Back to the first side of the problem again.
Given this natural and understandable lack of interest, also consider that
as long as the devices are working as expected, their botnet participation
may likely go completely unnoticed. With a broadband internet connection,
would you notice an extra stream of packets coming out of these things?
Again, not likely unless it took up so much that it hampered your streaming
movie or online gaming and finally caused you to investigate. A smart botnet
operator would consider this and not abuse the "privilege" so to speak.
With the high cost to address this from either or both sides of the manufacturer/consumer
line and the lack of consequences to either one of them if a "responsible" hacker takes
control, it is no wonder this is happening and we're all left asking what to do?
No comments:
Post a Comment