OMG, my refrigerator got hacked!

August 10, 2017 at 9:39 am | Posted in Uncategorized | Leave a comment

Years ago I started worrying about getting a virus on my laptop. More recently I began worrying about getting a virus on my iPhone. As of 2017, my new fear is that my smart refrigerator can send spam – or worse.

Last year a photograph of a smart refrigerator displaying an adult site on the display floor of a major retailer went viral. (I tried to find and credit the original source; it was posted on John McAfee’s twitter feed but it’s not clear whether it’s his photo.)

BadRatedFridge

We live in a golden age. You can change the temperature in your house from a remote location by simply using your phone to access your Internet-connected thermostat in your home. But who else can connect to this device?

HandsOnLabs

Connected devices or smart devices, referred to as The Internet of Things (IoT) devices, have simplified our lives more than we could ever imagine – or so their manufacturers claim. IoT devices have moved beyond home alarm systems to control home automation components like electric lights, HVAC systems, robotic vacuums, ovens, refrigerators, freezers, and even water faucets.

IoT devices are used in medical devices such as heart rate monitors, blood pressure monitors, pacemakers, and hospital equipment. IoT devices in automobiles send and receive information to the device manufacturer or update the equipment components. They let us know remotely if our brakes are worn, if it’s time for an oil change, or if it’s time to change our cabin filter. We’ve come a long way from the diagnostic port on a 1973 VW which could tell you if your alternator was charging your battery properly.

In short, IoT is big business, and everybody wants to cash in. IBM has rolled out a bunch of commercials promoting the IBM Watson IoT.

If you have watched a TV show or movie recently, it seems that any nerdy character with a bad haircut, an unfortunate tattoo, and an earring who can speak a complete sentence without using the words “like” and “you know” can hack into every security camera or device in a building. That’s fiction, but what about reality? IoT devices are notorious for lacking integrated security. Most of them just have a userid and password as credentials.

NetgearSetup

Criminals, identity thieves, or just plain pranksters would love to disarm your alarm system, steal your information, or just make your life miserable by hacking into an IoT device. An IoT device can be compromised in two ways:

  • An IoT device can be told to do what it is not supposed to do. A networked component in your smart TV could become part of a botnet attack. As hackers demonstrated to Jeep, an IoT device in an automobile may be hacked so that attackers can disable the power braking system.
  • IoT devices can be told to do what they are supposed to do, but at the wrong frequency. These attacks could include turning on the water or the lights in your house at the wrong time, flooding your basement or leaving it well-lit for thieves.

Every device or software may have flaws. A flaw that nobody else knows about is referred to as a “zero-day exploit.” According to a WikiLeaks report, the CIA has a set of tools to hack IoT devices via “zero-day exploits.” One zero-day exploit lets you activate the microphone on a smart TV or other device to remotely record conversations. According to the report, the CIA has many zero-day exploits for Android and Apple iOS devices. Who else has this set of tools? A government agency could use them to spy on their own citizens, or a rival nation, or even disrupt an election of another country. I am looking at you, Vladimir Putin.

VladimirPutin

According to Gartner Inc, there will be over 20 billion IoT devices by 2020. There is consumer demand for these IoT devices. Consumers want it simple and fast, and device manufacturers do not want to make these device overly complicated out of the fear that consumers won’t buy them. Adding additional security to these devices is not generally in the device manufacturers’ best interest if they want to increase sales. However, technology always changes. Devices, unlike computers, rarely have the ability to accept a patch or update. WiFi routers may have firmware updates, but not all Internet-connected devices do. This leaves the consumer at a security disadvantage. Worse, it leaves them open to hacking.

What can the consumer do?

Most users do not change the default security on devices. WiFi routers’ passwords are rarely changed out of the box by the average consumer; nor are the passwords of security cameras. If you think the password is like your front door, you should lock your front door, and for heaven’s sake, change the default password.

You should try to practice good password hygiene.

  • Avoid reusing credentials – Use different passwords and user IDs for your different devices. How in the world can I keep up with all these passwords? I can barely remember my daughter’s birthday or the security code for my ATM card. You can get a password manager app and install it on your phone.
  • Change passwords frequently – Passwords can become stale. Your roommate that moved out two months ago knows your WiFi password, and so does his ex-girlfriend. It might be time to change a few passwords.
  • Make the passwords strong – The passwords should be at least 15 characters. You should have a mix of uppercase, lowercase, numbers, and special characters. You can make the passwords out of a phrase, song lyric, or something that you can remember. For example, take a look at the following:
    • Ih8DaNew0rle@ns$aintz translation ”I hate the New Orleans Saints”
    • Its@Sm@11W0rld@fterA11 translation “It’s a small world after all”
    • A7thN@tionArmy#C0u1dNtH0ldMeB@ck translation “A seven nation army couldn’t hold me back”
    • WhyD0e$MyC@tP00p1nD@Corner translation “Why does my cat poop in the corner?”

It’s a given that the average consumer might not consider security a priority with an IoT device. However, the IoT goes beyond consumer devices. If a device can be accessed via Bluetooth, WiFi, or any other wireless technology, it is vulnerable and could be compromised – and that includes crucial healthcare devices. Medical device maker Johnson and Johnson had to reveal to over 100,000 patients that a hacker could exploit one of their insulin pumps. We are not talking about refrigerators and security cameras anymore. We are now talking about people’s lives and well being. It may no longer be a spy-novel plot device to suppose an assassin could remotely speed up a pacemaker or stop a medical implant from working.

A financial institution spends a significant portion of its IT budget on security. Healthcare providers only spend about 6% of their IT budget on security, and it is usually applied after the device is designed rather than being integrated into the device.

Who knows if there is a zero-day exploit in a medical device right now? It may take years for manufacturers to find them all. Who knows if a hacker found the exploit first? If it’s difficult for an automobile manufacturer to replace an electric window motor in a mandated recall, it will be extremely difficult to replace a medical device that has been installed and then recalled due to IoT insecurity. Technology has gone down a road that can bring us great prosperity and better health. We need to make sure that the potholes are paved and road is secure from bandits.

Until next time,

George Monsalvatge

Leave a Comment »

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: