You may call it a smart kitchen. I call it a home network setup disaster: four hackable Linux computers installed and configured by kitchen appliance designers who are, at best, inexperienced in computer security. And I am ashamed to admit I didn’t put them through a security audit before we chose them. We wanted a convenient and efficient kitchen; I knew full well that my security worries would not have a voice in any decision.
Last week, Rebecca and I went shopping for new kitchen appliances: a refrigerator, range, hood, and microwave. We are not much attracted by network-connected kitchen appliance features—I supposed we’re old-fashioned in our cooking habits—but the appliances we chose all have Wi-Fi.
We had no choice. Appliances that are not networked are scarce in 2020. You either accept that your kitchen will be networked, or you shop for used appliances. Since replacing one set of used appliances with another set of used appliances was not on our agenda, we have four Internet of Things (IoT) devices scheduled for delivery.
IoT device security
Now, I am forced to think seriously about securing the home network setup of our kitchen against cyber-attack. Forty years ago, when the industry began to hook computers together with TCP/IP and Ethernet, I would never have guessed that home kitchen security would become a topic in 2020.
Why am I worried? I am not as frantic as my well-known colleague, Bruce Schneier, who wrote a popular book about the Internet of Things called Click Here to Kill Everybody, but I share his concerns. Most IoT devices are full-fledged multi-purpose computers: as powerful, versatile, and hackable as the workstations of only a few years ago.
The computer in our new three-speed range hood is more powerful than the coveted Sun SPARC that sat on my desk at Boeing Computer Services in the 90s. The computer in that range hood is also subject to almost any hack reported in the news over the last decade. Ransomware has shown up on a coffeemaker, of all places.
IoT botnets
To top it off, some security professionals expect large IoT botnets will be used in attempts to disrupt the U.S. national election next month by scrambling voter registration or bringing down vote tallying software.
A botnet is a collection of compromised computers under the central control of a botmaster who orchestrates the hacked devices. Thus, botnets are huge covert supercomputers that execute crimes like sending out waves of spam or jamming websites with meaningless traffic. Before the IoT, criminal gangs grabbed control of personal computers and enrolled them in botnets by tricking users into fiddling with fake email or installing bogus doctored applications. It’s easier now.
IoT devices have simplified criminal botnet recruiting. Some of these devices are so poorly secured, criminals can scan the network for vulnerable targets, then take over using default accounts and pathetically weak default passwords. In this way, enormous IoT botnets can be formed quickly with automated scripts.
Users don’t notice that their IoT devices have been invaded because they seldom interact directly with the device. We might never notice that our sleek new smart refrigerator has become a robot thug at the beck and call of a foreign national in a dacha overlooking the Volga river.
The IoT is growing uncontrollably
Log on to your home network router and look at the list of connected devices. I imagine our list is longer than most because my home office is practically a development lab with an assortment of Windows 10 lap and desktops and a Linux tower I use as a server. Both Rebecca and I have two smart phones each (one for phone calls, another without a cellular card for fun), and we also have several tablets distributed in various rooms. We also have smart TVs, Amazon Fire Sticks, and Alexas.
Every time I look at the router’s device list, it has grown longer. What used to be a cute two-line list of his and hers computers has become a configuration management database worthy of a fair-sized business. In the old days, I could glance at the list and know instantly that some bright neighbor kid was filching bandwidth. Now, puzzling it out is a job in itself. When our new appliances are installed, I imagine making sense of the network will get more difficult.
Home network setup crisis
Frankly, I’ve reached a home network management crisis. I no longer feel in control. I’m not sure I will know if I’ve been hacked.
This must change.
Fortunately for me, I’ve helped large enterprises manage their networks for a long time. My quiver has some razor sharp arrows. I can figure this out. No three-speed range hood will bring down our network.
I’ll keep you posted. In the mean time, basic computer hygiene will have to do. Check it out the six rules. They go a long way toward keeping you safe.
Hi Marv,
I don’t currently have any IOT devices but I believe I know where to look to secure them if I do get any. The web site is also a fun read:
https://routersecurity.org/index.php
I recently purchased a router that can be customized to the Nth degree in its settings menus and I’ve been careful not to fool with anything I wasn’t sure of. If you’re ever inclined, I’d like your take on Michael Horowitz’ site linked above. Just perhaps a nod to let me know I’m on the right track.
My current understanding of IOT devices is minimal but I believe they “phone home” to internet connected servers to perform their basic design functions. It seems that controlling the setting of a PWM signal to a vent fan could be handled by the local device processor. Maybe consumers should demand a different control paradigm for their devices.
I enjoyed your “Three Rules for Smart Phones” and had a peek through my device to implement your suggestions. Thanks for that. I also enjoyed your article about Bluetooth security and plan to patch some devices with the latest firmware as a result.
Thanks,
Dan Loehr
Hi Dan– I looked at the Router Security site. It like it, good find, by all means follow his advice. Unfortunately, his suggestions won’t necessarily secure your IoT. The ugliness of IoT devices is that they themselves are often insecure. A perimeter secured properly by your router won’t help if the device literally requests to be invaded, as some insecure IoT devices have been known to do. You are absolutely correct that a local device processor would be better for many household functions, including controlling vent fans. The problem is that general purpose computers on a chip, the equivalent of your desktop or phone of only a few years ago, are cheaper and easier to add to appliances than special purpose processors. That is the devil in IoT. It’s now so easy to add IoT to home appliances, kitchen appliance designers who have no experience with network security, can slap them in.
Marv: This was the most alarming part of your entire article:
We had no choice. Appliances that are not networked are scarce in 2020. You either accept that your kitchen will be networked, or you shop for used appliances.
With the disclaimer of not knowing what a “Smart Appliance” (especially the smart range hood) is expected to actually DO, wouldn’t a reasonable solution be to give them their own Wi-Fi network that’s heavily firewalled? (I know that’s not a viable solution for the masses.)
I agree. It is alarming. Bruce Schneier pointed out the same thing about cars in his book “Click Here…” I am even more disturbed by cheap networked appliances, like toasters, coffee makers, and electric fans. What chance do such low ticket items have of being reasonably secured?
We don’t have the range and hood installed yet so I haven’t had a chance to fool around with them, but I understand that the range can be set up to talk to the hood and tell it when to accelerate the fan, which might prevent the smoke detector from going off when I pan fry steaks… We’ll see.
I also agree about putting IoT on its own firewalled network segment. I’m researching how to do this in a way that users without a background in networking can segment successfully. I hope to post something on it in future weeks.
Best, Marv