In today’s modern home virtually everything can be connected, from the computer to the coffee maker.
While this leads to convenience and plenty of new opportunities, it presents a bevy of security problems for users.
A network of connective devices—known as the Internet of Things (IoT)— could leave users vulnerable to security breaches, said Jason Hong, an associate professor of Human Computer Interaction at Carnegie Mellon University, said in an exclusive interview with R&D Magazine that
“I would say that there are a tremendous number of challenges that we are facing as IOT devices are getting deployed in people’s houses,” Hong said. “We can probably secure one or two devices, but if we have 10 or 20 or 50 it just becomes a nightmare to try to manage that many.”
Hong explained that many devices that are commonly in homes are now vulnerable to threats of malware and other security hacks.
An example of the current threat occurred in October of 2016 when a large number of IoT devices including webcams and baby monitors were infected with the Mirai malware.
In May 2017, an 11-year old was also able to demonstrate the ability to hack and “weaponize” Bluetooth enabled teddy bears at the International One Conference 2017 in the Netherlands.
According to Hong, even if you secure individual devices, if they are connected to the cloud an attack may result in the data being stolen.
Hong explained that a “market failure” is occurring, where consumers aren’t given the proper amount of information regarding the security of their devices.
He said that manufacturers are primarily making decisions on aesthetics and functionality but not security.
Another issue is when security patches do become available to the public, they require a complicated and time consuming step-by-step process by the user.
There is also an education problem.
According to Hong, of the top 50 computer science programs in the U.S., only three require students to take a cybersecurity class.
Hong explained that there are different categories of attacker—state-level attackers looking to steal government secrets; non-state attackers that are terrorists or other groups looking to cause chaos; inside attackers such as disgruntled former employees; and criminals and script kiddies, which are lesser skilled attackers.
“They all have different incentives, different levels of skill, different kinds of resources at hand,” Hong said.
According to Hong, the riskiest devices are the ones that can cause physical harm if they are tampered with. For example, a hack into a webcam can cause problems but an attack on an oven or thermostat could result in physical harm and property damage.
Hong said while security is a major concern, there isn’t a lot the consumer can actually do to ensure complete safety.
“The best thing I would suggest is to just sort of hold off on things or if you really do want to buy those webcams and other devices you can really try to set up your firewall to block incoming traffic,” he said. “Even then there are still going to be challenges in securing these devices.
“It’s going to be pretty chaotic for the next ten years or so while these standards are being rolled, while legislation is being rolled out and while a lot of software developers and researchers are trying to figure out how to do things better,” Hong added. “So on one hand it is going to be exciting and on the other hand it is going to be a little bit scary.”
Yolanda Smith, the director of product management at cybersecurity firm Pwnie Express, said in an interview with R&D Magazine that the security threat for devices has actually gotten worse in recent years.
She explained that this is particularly due to the devices themselves, but also because some of the defense mechanisms are not made for threats from IoT.
“Even a well-made, secure product can be compromised,” Smith said. “That’s why we have to take steps to protect the networks in our homes, offices, and along the networks we use frequently.”
According to Smith, consumers should ask more security questions before buying a product.
“If you can’t easily see how to secure the product or a salesperson can’t tell you how to secure it, its vulnerable,” she said. “You should be able to at least see how you can change the manufacturer’s password before you ever take it home.”