Every device connected to the internet is a potential point of vulnerability. As the following report shows, design engineers and developers must anticipate security threats at every stage between a device’s design and deployment.
Remote Peeping into Bedrooms and Offices
In June 2017, some residents of Dubai, UAE, discovered to their alarm that footage from surveillance cameras inside their homes and offices was streaming on websites all over the world. The police also noticed, and shut several of the websites down, they said. The breach was blamed on the cameras’ poor quality and on unqualified technicians who installed the devices. According to the police, the technicians didn’t know how to secure the cameras with new passwords. That left the cameras vulnerable to hackers who could connect via the devices’ public IP addresses.
Turning IoT Devices into Bricks
Two versions of a new malware called BrickerBot have been bricking devices all over the IoT since March 20, 2017. The malware targets devices based on Linux BusyBox, gaining entry via brute-force attacks on open Telnet ports. It uses a list of default passwords for various IoT devices. Once inside, the malware almost instantly stops the device’s operating system and reboots it.
It’s not clear how BrickerBot’s author could profit from this kind of attack, known as a Permanent Denial of Service (PDoS). While other IoT malware strains, such as Mirai, can be used to launch Distributed Denial of Service (DDoS) attacks that may somehow benefit the hacker, a bricked device is unusable. Some security experts suggest BrickerBot’s author is a vigilante who destroys insecure IoT devices to make a point.
A Doorbell Rings, a Server in China Hears It
A smart doorbell programmed to send users’ audio and video data to Amazon Web Services was discovered to be sending packets of audio data to a server in China run by Baidu, the massive search engine and web services company. A Reddit user found the traffic leaving their doorbell and wrote about it, resulting in an IoT news website picking up the story. Within five days, the doorbell’s maker, Los Angeles-based Ring, responded to the Reddit post, explaining that the data transmission was minuscule and not the result of a security vulnerability. A firm that Ring hired to audit the device’s security concluded that the device was secure, and that users were not at risk because the data traveled only outward. The auditor concluded there was no pathway for a hacker to infiltrate the device from the outside.
Although no weakness was found, this incident offers two lessons about IoT security. One, if customers perceive a device as insecure, the manufacturer is forced to respond or lose sales. Two, given the complexities of electronics manufacturing, security holes can creep in at any stage.
As an IoT device developer, you have little control over those who install, service, and operate your devices. The proper approach is to build in security as you design your product, whether it’s an embedded system or an internet-connected consumer device. This way you’ll protect yourself from potential recalls, negative press, and lost sales.