Heather Schreck was asleep when she suddenly heard a male voice. Sleep-dazed she picked up her phone to check on her baby using a baby monitor. This baby monitor was basically a webcam that could be viewed and controlled with her smartphone. The camera was moving, though she wasn’t controlling it and she heard someone scream ‘WAKE UP BABY!’. Her husband quickly ran to the room and unplugged the camera. (The baby was deaf and didn’t actually wake up). What had happened? Well… they got hacked. And this isn’t an uncommon occurrence. Many other families have received the same creepy messages.
Here in CreaTe we love Internet of Things! From module two and onward we have fully embraced this new trend. After all, IOT has brought us sensors on a car that can notify drivers on dangerous road conditions, tennis rackets that advise you on how to improve your game, and yes – snapchat’s spectacles. In fact, IOT is so popular that it is estimated there are 6.8 internet capable devices per person!
(Boring numbers interlude: This number only considers people who have regular access to internet and includes smartphones, laptops etc. )
However, this might not be as amazing as you think. Recently there was a pretty big denial-of-service attack.
A denial-of-service attack is accomplished by flooding a system with superfluous requests, in this way overloading it and preventing legitimate requests from being serviced. This is often done with Botnets. This are networks of hacked computers that are secretly being used to serve the hackers goal, usually without the legitimate user of the computer knowing about it.
The victim of this attack was Dyn, which controls a big part of the domain name system (DNS) infrastructure. This means that big sites went down, including Netflix (the horror!). However, there was something unique about this attack. The bots weren’t computers but were mostly IOT-devices. This is because IOT-devices often have extremely bad security compared to the security of laptops and phones.
To summarise that big chunk of technological text – the bad security of baby monitors and other devices doesn’t just endanger the customer who bought that device, but also Netflix!
(And the rest of the internet).
And we can’t just lay all the responsibility on the consumer. Apparently the SNT (Studenten Net Twente) regularly has to block Raspberry Pi’s. This is because the default passwords haven’t been changed by students – and the Pi’s are then hijacked to send spam. If not even the technology-savvy CreaTe students bother to change the password – how can we expect such diligence from average consumers?
CreaTers love IOT more than anyone. As a result, there is a very big chance that you guys will help develop the amazingly innovative IOT products of the future. This is why it seemed like a good idea to give you guys some tips on IOT security.
- Force people to choose a custom password. ‘Plug and play’ has become an important concept. People would like their devices to work as quickly as possible after they are taken out of the box. Because of this IOT devices often have default passwords. You can’t make it easier for hackers!
- Limit the data collection if possible. Ask yourself – how much data does my product really need? When you store large amounts of data it becomes an attractive target for data theft. And when a company collects large amounts of data it is very attractive to be used for other purposes than the intended purpose.
- Give users a choice. Some types of data collection might not be strictly necessary, but could still very useful and desired. If this is the case you could consider letting your users choose. One important note: if you choose this, don’t hide it somewhere, but present it clearly and open to your users. Otherwise your not-so-technical users might not even know their data is being collected. (Looking at you, windows 10).
- Automatic updates. Are you gonna connect something to the internet? First make sure you can update the device. Then make sure updates are automatically downloaded as a default. This will allow you to fix security mistakes. The security mistake in the brand of baby monitor in the story above was already known to the producers. However, they had to tell everybody to update their software – this message obviously does not reach everyone.
- Isolate your different systems properly. Is the information you handle on the device extremely sensitive? Consider not connecting it to the internet. It is the safest and quickest fix. Or isolate it as best as you can from other parts of the system. So people can’t just hack the freaking plane.
Though prototypes of course require less security than the finished products, even then these issues should be considered. For example 2 (Limiting data collection) and 3 (Give users a choice) can already become important when coming up with your concept. You have to try and figure out how your idea can still work with as little data as possible. Too many companies nowadays ignore the security of their IOT devices, and this puts everyone at risk. People in CreaTe often want to improve the world with technology. So please follow these tips, and don’t accidentally make the world worse by breaking Netflix.