Connected devices on the Internet of Things are cool. I have a friend who looks in on his cats on Whidbey Island with his phone from our house in Ferndale. I love my Bluetooth mouse and being able to start the oven preheating from my office upstairs with my phone. But I wouldn’t want a stranger to have the same access.
To be safe, you must take precautions.
Today, or very soon, most of the electric appliances and many other devices that people interact with will be connected to computer networks. At our house, my wife’s car (not my old truck), our kitchen range and its hood, the dishwasher and the microwave are all set up to connect wirelessly to a computer network (the Internet). We can expect more connected appliances to appear on the market soon. In fact, some claim that it will soon be difficult to acquire any electrical appliances that are not connected to computer networks. Why? Because remote wireless computer control has become a cheap feature for manufacturers to add these days. Unfortunately, connectivity has become less safe in the process.
What has changed
In olden times, say 2010, when a refrigerator manufacturer decided to add remote wireless computer monitoring or control to a new model, they would hire a team of electrical and software engineers to design a chip, circuitry, and control software to embed. The team would come up with a tidy little system that would do exactly what the manufacturer intended. No more, no less.
That’s not how it’s done today. Instead, they buy standard, off-the-shelf components and snap them together. One of those components is likely to be the equivalent of an entire personal computer, complete with a wireless interface and capabilities similar to a typical desktop of a couple decades ago. A complete computer is now cheaper to embed than a custom designed minimal component. Unfortunately, these embedded computers are as easy, sometimes easier, to hack as any desktop, laptop, or phone today.
In my book, Personal Cybersecurity, available at the Ferndale Public Library, I cited the case of an electric teakettle that was easily hacked into by “war drivers” cruising the neighborhood looking for open wireless networks to exploit. That was two years ago. Those kind of exploits are more plentiful and easier today.
Using a cheap little circuit board with an entire PC on board, manufacturers can build the device cheaply and figure out how to use the computing and connectivity later. They can add new features after the device has been manufactured using standard programming. This has a downside. Hacking a refrigerator used to require specialized knowledge of custom controllers and software written in assembler for processors that only a few engineers ever heard of. Now, the code is in high level languages on hardware that is taught in high schools.
For example, Amazon has published simple methods for placing a devices with embedded computers under voice control through their Alexa product. I expect projects like Alexa controlled electric whoozits are showing up at high school science fairs. If Alexa can easily be made to control something, there is a good chance that a hacker can too.
On top of that, a small manufacturer has little or no incentive or expertise to build security into their network-controlled toasters. Companies like Microsoft, Apple, Google, and Facebook have regulators, reputations, and stockholders to hold them accountable to public opinion. A rash of house fires from hacked Apple toasters would send Apple stock into a tailspin, the lights would burn all night in Cupertino, and fixes would be issued in days. You might not even realize that a fix was made. Companies like Apple work that way.
But for a small, no-brand appliance manufacturer, odds are great that nothing would happen. These companies, often located in China or southeast Asia, manufacture a batch of appliances, sell no-brand batches to secondary vendors who label the devices and sell them to the consumer. The department store that sold the hacked toasters and the company that designed and manufactured them may only be loosely and temporarily connected. The manufacturer retains no knowledge of what happened to the vulnerable devices or how to contact the final owners. The seller may be accountable but that’s little comfort after the house burns down.
What can you do to be safe?
|
• Read the specifications and manuals for electrical appliances carefully. Be aware of the device’s networking capabilities, especially wireless connections. The FCC requires all radio transmitting and receiving devices to register. An FCC id number is a clue that the device can connect to a computer network, including the Internet. • If you don’t have a good use for remote connection of a device, turn the remote connection facility off. If you can’t turn remote access off, consider replacing the item. Chalk the expense up to lessons learned and sleep a little more soundly. • You may have a good use for connectivity. Surveillance cameras that you can access from your phone are an example. When properly secured, the risk of being hacked can be managed. • Before you buy, research. You can often find security-oriented reviews. Read the documentation on the device. If secure access to the device is not documented, don’t buy it. Find an equivalent device that is secured. Follow the security recommendations. • Many of these devices come with a default username like “admin” and a password like “password.” You must change these. The password is most important. Use a strong password. A long random sequence of upper- and lower-case letters, numbers, and symbols is best. The easier a password is to remember, the easier for a determined hacker to crack. Record the password safely. I use a password manager. Writing it down in a safe place is good too. If you lose the password, you may “brick” (permanently disable) the device. • Use caution with Bluetooth devices. Most are easy to eavesdrop on. Bluetooth can be secure, but it is often a hassle and manufacturers often skip security over convenience. I’ve written about Bluetooth security here. |