The Quiet Threat Inside ‘Internet of Things’ Devices
BY CHARLES T. HARRY, UNIVERSITY OF MARYLAND / JANUARY 11, 2019
As Americans increasingly buy and install smart devices in their homes, all those cheap interconnected devices create new security problems for individuals and society as a whole. The problem is compounded by businesses radically expanding the number of sensors and remote monitors it uses to manage overhead lights in corporate offices and detailed manufacturing processes in factories. Governments, too, are getting into the act — cities, especially, want to use new technologies to improve energy efficiency, reduce traffic congestion and improve water quality.
The number of these “Internet of Things” devices is climbing into the tens of billions. They’re creating an interconnected world with the potential to make people’s lives more enjoyable, productive, secure and efficient. But those very same devices, many of which have no real security protections, are also becoming part of what are called “botnets,” vast networks of tiny computers vulnerable to hijacking by hackers.
Botnets have caused problems on the Internet, from sending vast amounts of spam mail to disrupting websites around the world. While traditionally most botnets are composed of laptop and desktop computers, the growth of unsecured devices such as industrial sensors, webcams, televisions and other smart home devices is leading to a growing disruptive capability.
TINY COMPUTERS EVERYWHERE
The “Internet of Things” includes countless types of devices — webcams, pressure sensors, thermometers, microphones, speakers, stuffed animals and many more — made by a vast array of companies. Many of these manufacturers are small and unknown, and don’t have popular brands or public reputations to protect. Their goals are to produce lots of devices to sell as cheaply as possible. Customers’ cybersecurity isn’t a real concern for them.
These devices’ variety means they’re useful for lots of things, but also means they have a wide range of vulnerabilities. They include weak passwords, unencrypted communications and insecure web interfaces. With thousands, or hundreds of thousands, of identically insecure devices scattered all over the world, they’re a wealth of targets ripe for the hacking.
If, for instance, a manufacturer has set an unchangeable administrative password on a particular type of device — it happens more often than you might think — a hacker can run a program searching the Internet for those devices, and then logging in, taking control and installing their own malicious software, recruiting the device into a botnet army. The devices run normally until the hackers issue instructions, after which they can do more or less anything a computer might do — such as sending meaningless Internet traffic to clog up data connections.