Connecting Everything to the Internet: What Could Go Wrong?

connecting-everything-to-the-internet-what-could-go-wrong photo 1

If the Internet of Things (IoT) industry is the Jedi order, with Philips Hue lightsabers and "smart" cloud-based Force powers, then popular Twitter account Internet of Shit is a Sith Lord. At a time when the technology industry seems eager to put a chip in everything, consequences be damned, Internet of Shit puts a name to the problem of new, useless electronics and highlights that some of these products may not be as benign as we think.

I spoke with the account's operator under the condition of anonymity, a courtesy PCMag extends when we feel the public good outweighs all other considerations. I will refer to this person as IOS. I would love to say that I met IOS in a darkened parking garage, but our conversation took place over Twitter direct message and email. Ho-hum.

The Internet of Shit's Twitter account focuses on the niche and the popular. In the case of, say, paying for a meal using a smart water bottle, it rightly questions the utility. It highlights the absurdity of having to wait for fundamental necessities, like light and heat, that are unavailable after "smart" products receive firmware updates.

As you might imagine, the Internet of Shit is able to eviscerate the industry it mocks so effectively because that industry is close to its heart. "It happened so naturally," IOS said. "I used to spend a lot of time on Kickstarter and saw the rise of the Internet of Things there. It seemed like every other day some mundane object was having a chip shoved into it, but nobody—even in the media—was being that critical about it. [Websites] would just say things like, 'Wow, we can finally get the internet in an umbrella.'"

IOS sees himself as something of a devil's advocate or collective conscience for consumer culture. In his eyes, the Twitter account is a much-needed sanity check on Silicon Valley's faux-optimism run amok. "When we go too far, the important question technology people tend to forget is: Who actually needs this? An oven that can't cook properly without the internet? Why aren't people designing these things better?"

But more than poor design and specious claims of utility, IOS's primary concern is one of privacy and, ultimately, personal security: "I do see IoT as inherently risky, though. I don't trust these companies not to leak my data or not to be severely hacked in the future."

In a Medium post written early in the Twitter account's life, IOS said he was worried that companies would begin looking for ways to monetize data gathered from people's homes. From that story: "If Nest wanted to increase profits it could sell your home's environment data to advertisers. Too cold? Amazon ads for blankets. Too hot? A banner ad for an air conditioner. Too humid? Dehumidifiers up in your Facebook."

connecting-everything-to-the-internet-what-could-go-wrong photo 2

IOS still stands by these concerns. "The reason the IoT is so compelling to manufacturers isn't that they're adding smart features to your life—that's just a byproduct," he wrote me. "It's more that by doing so, they get unprecedented insight into how those devices are being used, such as how often, what features you use the most, and all the data that comes with that."

IOS says that IoT companies need to be much more upfront about their data-gathering policies, and who can access information that may be gathered by these devices. "The question we all need to decide is what level of access we're willing to give these companies in exchange for the data they get—and who we trust with that is key."

On Christmas Day in 2016, IOS enabled his lights to blink whenever his handle was mentioned on Twitter. The results were intense, anticlimactic, and brief, illustrating perhaps all that IOS loathes about the Internet of Things.

Internet of Insecurity

Far worse than the effect useless IoT devices have on consumers' wallets, though, is the effect they have on personal security. IOS's fears of a marketplace for user data collected by IoT devices is not far-fetched (how do you think free apps and free internet news companies make money?), and there are already other, very real threats.

Attendees at the Black Hat 2016 conference were treated to footage from security researcher Eyal Ronen. Using his research, he was able to seize control of Philips Hue lights from a drone hovering outside an office building. The attack was notable not only for its dramatic results and for using a drone but also because the building was home to several well-known security companies.

Ronen explained to me that he was attempting to demonstrate that an attack against a top-tier line of IoT devices was possible. "There are a lot of IoT hacks aimed at low-end devices that have no real security. We wanted to test the security of a product that is supposed to be safe," he said. He was also keen to attack a well-known company and settled on Philips. Ronen said that it was harder to crack than he initially thought, but he and his team found and exploited a bug in the ZigBee Light Link software, a third-party communication protocol used by several IoT companies and regarded as a mature and secure system.

"It uses advanced cryptographic primitives, and it has strong security claims," said Ronen. "But at the end, in a relatively short time with very low-cost hardware worth around $1,000, we were able to break it," said Ronen.

Video of Ronen's attack (above) shows the lights of the building flashing in sequence, following his commands sent remotely via a hovering drone. If this were to happen to you, it would be annoying—perhaps no more annoying than any of the scenarios IOS highlights on his Twitter account. But security professionals maintain that there are far greater consequences for IoT security.

"In a previous work, we showed how to use lights to exfiltrate data from [an] air-gapped network and cause epileptic seizures, and in this work we show how we can use lights to attack the electric grid and jam Wi-Fi," Ronen told me. "IoT is getting into every part of our lives, and the security of it can affect everything from medical devices to cars and homes."

A Lack of Standards

Ronen's attack took advantage of proximity, but Chief Security Researcher Alexandru Balan at Bitdefender outlined many other security faults that come baked into some IoT devices. Hardcoded passwords, he said, are particularly problematic, as are devices that are configured to be accessible from the open internet.

It was this combination of internet accessibility and simple, default passwords that has caused havoc in October 2016 when the Mirai botnet took major services like Netflix and Hulu either offline or made them so slow as to be unusable. A few weeks later, a variant of Mirai throttled internet access in the entire nation of Liberia.

connecting-everything-to-the-internet-what-could-go-wrong photo 3"The worst of them are devices that are directly exposed to the internet with default credentials," said Balan. "[These devices] can be found with IoT search engines like Shodan or by simply crawling the internet and accessing them with admin admin, admin 1234, and so forth," continued Balan, listing examples of overly simplistic and easily guessable passwords. Because these devices have minimal security and can be attacked from the internet, the process of infecting them can be automated, leading to thousands or millions of corrupted devices.

Not long after news of Mirai broke, I looked at this scenario and blamed the IoT industry for ignoring the warnings about poor authentication and unnecessary online accessibility. But Balan would not go so far as to call these flaws obvious. "[Attackers] need to do reverse engineering on the firmware to extract those credentials, but it's very often the case that they find hard-coded credentials in the devices. The reason for that is that in a lot of cases, there's no standards when it comes to IoT security."

Vulnerabilities like these arise, hypothesized Balan, because IoT companies operate on their own, without universally accepted standards or security expertise. "It's easier to build it like this. And you can say that they're cutting corners, but the main issue is that they're not looking into how to properly build it in a secure fashion. They're just trying to make it work properly."

Even when companies develop fixes for attacks like the one Ronen discovered, some IoT devices aren't able to apply automatic updates. This puts the onus on consumers to find and apply patches themselves, which can be particularly daunting on devices that aren't intended to be serviced.

But even with devices that can be easily updated, vulnerabilities still exist. Several researchers have shown that not all IoT developers sign their updates with a cryptographic signature. Signed software is encrypted with the private half of an asymmetric cryptographic key owned by the developer. The devices receiving the update have the public half of the key, which is used to decrypt the update. This ensures that the update is official and hasn't been tampered with, since signing a malicious update or modifying the software update would require the developer's secret key. "If they do not digitally sign their updates, they can be hijacked, they can be tampered with; code can be injected into those updates," said Balan.

connecting-everything-to-the-internet-what-could-go-wrong photo 4

Beyond simply flicking lights on and off, Balan said that infected IoT devices can be used as a part of botnet, as seen with Mirai, or for far more insidious purposes. "I can extract your Wi-Fi credentials, because you've obviously hooked it to your Wi-Fi network and being as [the IoT device] is a Linux box, I can can use it to pivot and start to launch attacks within your wireless network.

"Within the privacy of your own LAN network, authentication mechanisms are lax," continued Balan. "The problem with LAN is that once I am in your private network, I can have access to almost everything that's happening in there." In effect, corrupted IoT becomes a beachhead for attacks on more valuable devices on the same network, such as Network Attached Storage or personal computers.

Perhaps it's telling that the security industry has started looking closely at the IoT. Over the last few years, several products have entered the market claiming to protect IoT devices from attack. I have seen or read about several such products and reviewed Bitdefender's offering. Called the Bitdefender Box, the device attaches to your existing network and provides antivirus protection for every device on your network. It even probes your devices for potential weaknesses. Bitdefender will launch the second version of its Box device this year. Norton will enter its own offering (below), boasting deep-packet inspection, while F-Secure has also announced a hardware device.

connecting-everything-to-the-internet-what-could-go-wrong photo 5

As one of the first to market, Bitdefender is in the unique position of having a background in software security—and then designing consumer hardware that would, presumably, be impeccably secure. How was that experience? "It was very hard," answered Balan.

Bitdefender does have a bug bounty program (a monetary reward offered to programmers who uncover and provide a solution to a bug on a website or in an application), which Balan confirmed has helped the development of the Box. "No company should be arrogant enough to believe it can find all of the bugs on their own. This is why bug bounty programs exist, but the challenge with hardware is that there may be backdoors within the actual chips."

"We know what to look for and what to look at and we actually have a hardware team that can take apart and look into each one of the components on that board. Thankfully, that board is not that large."

It's Not All Shit

It is easy to discount an entire industry based on its worst actors, and the same is true for the Internet of Things. But George Yianni, the Head of Technology, Home Systems, Philips Lighting finds this view particularly frustrating.

"We took [security] very seriously from the beginning. This is a new category. We have to build trust, and these [attacks] actually damage trust. And that's also why I think the biggest shame of the products that have not done such a good job is that it erodes trust in the overall category. Any product can be made badly. It's not a criticism of the overall industry."

As is often the case for security, how a company responds to an attack is often more important than the effects of the attack itself. In the case of the drone attack on Philips devices, Yianni explained that Ronen submitted his findings through the company's existing responsible-disclosure program. These are procedures that are put in place to allow companies time to respond to a security researcher's discovery before it is made public. That way, consumers can be assured that they are safe and the researchers gets the glory.

Ronen had found a bug in a third-party software stack, said Yianni. Specifically, it was the part of the ZigBee standard that limits communication to devices within two meters. Ronen's work, as you will recall, was able to take control from a distance—40 meters away with a standard antenna and 100 meters with a boosted antenna. Thanks to the responsible disclosure program, Yianni said Philips was able to roll out a patch to the lights in the field before Ronen told the world about the attack.

connecting-everything-to-the-internet-what-could-go-wrong photo 6

Having seen many companies grapple with a public security breach or the result of a security researcher's work, Yianni and Philips's response may sound like after-the-fact back-patting—but it really was a success. "All our products are software-updatable, so that things can be fixed," Yianni told me. "The other thing[s] we do [are] security risk assessment, security audits, penetration testing [hiring people to attack your product or organization, then using the info to keep bad guys from doing the same] on all of our products. But then we also run these responsible disclosure processes, so that if something does come through, we're able to find out in advance and fix it very quickly.

"We have an entire process where we can push software updates from our entire cloud down to the [Hue Hubs] and distribute it to all of the lights. That's super important, because the space is moving so fast and these are products that are going to last 15 years. And if we're going to make sure that they are still relevant in terms of functionality and to be sufficiently secure for the latest attacks, we need to have that."

In his correspondence with me, Ronen confirmed that Philips had indeed done an admirable job securing the Hue lighting system. "Philips [has] put a surprising amount of effort in securing the lights," Ronen told me. "But unfortunately, some of [its] basic security assumptions that relied on the underlying Atmel's chip security implementation were wrong." As Balan pointed out with Bitdefender's work on the Box, every aspect of the IoT device is subject to attack.

connecting-everything-to-the-internet-what-could-go-wrong photo 7

Philips also designed the central Hub—the device required for coordinating networks of Philips IoT products—to be inaccessible from the open internet. "All connections to the internet are initiated from the device. We never open ports on routers or make it so that a device on the internet can directly talk to the [Hue Hub]," explained Yianni. Instead, the Hub sends requests out to Philips's cloud infrastructure, which responds to the request instead of the other way around. This also allows Philips to add extra layers to protect consumers devices without having to reach into their home and make any changes. "It's not possible for the [devices] to be communicated with from outside the Hub unless you're routed through this cloud where we can build additional layers of security and monitoring."

Yianni explained that this was all part of a multilayered approach Philips took to securing the Hue lighting system. Since the system is composed of several different pieces—from the hardware inside the bulbs to the software and hardware on the Hue Hub to the app within users' phones—different measures had to be taken at all levels. "All of them need different security measures to keep them safe. They all have different levels of risk and vulnerability. So we do different measures for all of these different parts," said Yianni.

This included penetration testing but also a bottom-up design intended to thwart attackers. "There [are] no global passwords like what was used in this Mirai botnet," said Yianni. The Mirai malware had dozens of default passcodes that it would use in an attempt to take over IoT devices. "Every [Hue Hub] has unique, asymmetrically signed keys to verify firmware, all this stuff. One device having its hardware modified, there's no global risk from that," he explained.

This also applies to the value of IoT devices. "A lot of these products tend to be connectivity for the sake of connectivity," he said. "The need to automate everything inside your home is not a problem many consumers have, and that's very hard to get your head around. We think that products that do well are the ones which offer an easier-to-understand value toward consumers."

The Irresistible Internet of Things

Knowing the risks about IoT, and even acknowledging its frivolousness, certainly hasn't stopped people from buying smart lighting such as Philips Hue, always-listening home assistants such as Google Home or the Amazon Echo, and yes, smart water bottles. Even the operator of Internet of Shit is a huge IoT fan.

"The real irony behind the Internet of Shit is that I'm a sucker for these devices," said IOS. "I'm an early adopter and work in technology, so a lot of the time I can't resist these things." IOS lists Philips connected lights, the Tado thermostat, the Sense sleep tracker, smart speakers, the Canary camera, and Wi-Fi-connected plugs among his futuristic home amenities.

"I'm aware that the account got accidentally far bigger than I ever imagined, and I don't ever want to discourage people from going into technology—I think that experimenting with dumb ideas is how great ideas can be born, which is something that Simone Giertz taught me a little bit," said IOS.

Giertz, an absurdist roboticist and YouTuber, is the mind behind Shitty Robots. Her creations include a drone that gives haircuts—or, rather, fails to—and a massive hat that places sunglasses dramatically on her face. Think of it as Rube Goldberg with a healthy dose of Silicon Valley cynicism.

The person behind IOS does report that he is trying to rein in his early-adopter instincts these days. "I think the moment I had to update my lightbulbs' firmware to turn them on was a bit of a realization for me..."

Bitdefender's Balan said he uses light bulbs that double as Wi-Fi repeaters. These devices extend both light and Wi-Fi to every corner of his home. But they are also loaded with many of the vulnerabilities he derided, including weak default passwords. When it comes to the IoT, though, he remains undaunted.

"It's like sex," he told me. "You wouldn't do it without a condom. We like sex, sex is awesome, we're not gonna give up sex just because it's dangerous. But we're gonna use protection when we're doing it." Instead of lapsing into paranoia, he believes consumers should rely on security companies and educated friends who can identify the companies that take security seriously with bug bounties and secure, frequent update tools.

Related

  • Don't Hook These Gadgets Up to the Internet of ThingsDon't Hook These Gadgets Up to the Internet of Things

And does the drone-piloting hacker Ronen use IoT? "Currently, no," he said. "I am afraid about the effect is has on my privacy and security. And the benefits are not high enough for my needs."

Even your humble author, who has resisted the siren song of talking smoke detectors and color-changing lights for years, has started to crumble. Recently, in an effort to spruce up the office for the holidays, I found myself setting up three separate smart lights. The result, was horrifyingly, compellingly beautiful.

Meanwhile, a brand-new Philips Hue light is sitting in my Amazon shopping basket. Someday soon, I'll press the Buy Now button.

Recommended stories

How to See What Web Sites Your Computer is Secretly Connecting To

Has your Internet connection become slower than it should be? There may be a chance that you have some malware, spyware, or adware that is using your Internet connection in the background without your knowledge. Here’s how to see what’s going on under the hood.

More stories

Razer Unveils its Own Rewards Currency

Spend zGold to earn zSilver, which can be redeemed for discounts on Razer gear. At least at the outset, though, the redemption rates aren't particularly rewarding.