The Internet of Things: “Can You Trust Your Toaster?”

“Can you trust your toaster?” was the subtitle of a paper published by the National Defense University in 2000. The paper discussed “information terrorism,” defined by the authors as a subset of information warfare, (1) but the title neatly captures the threat posed by what we now call the “Internet of Things” (IoT). The “things” in question are devices connected to the Internet, not only toasters but also refrigerators, security cameras, and other types of “smart-house” technology. While consumer products comprised about two-thirds of IoT devices in 2017, business and industrial applications are growing rapidly. Gartner predicts that more than 20 billion devices will be connected to the Internet by 2020. (2)

IoT devices promise greater efficiency and cost savings for many economic sectors. Heating and air conditioning systems, lighting, and security in many buildings are already controlled remotely by operators who access system controls via the Internet. Power generation and energy production facilities like oil fields also use industrial control systems that are part of the Internet of Things. And the automobile industry is equipping new vehicles with Bluetooth and WiFi-enabled features that include email and web browsing capabilities. Automated monitoring of vehicle location and performance is already widely available. The European Union now requires that all new vehicles have an automated notification system to alert emergency services in the event of an accident. (3)

Threats and Vulnerabilities

While IoT devices have many advantages, they also pose growing risks. Users of fitness trackers were surprised in early 2018 when global tracking company Strava published sensitive locations of U.S. military units in the Middle East based on the GPS capabilities built into Fitbit. (4) This was one of the more startling revelations of how IoT devices can be used to compromise user locations.

IoT devices used by homeowners, are notoriously insecure. While individuals may apply good cybersecurity practices to their personal electronic devices, few think about changing the passwords that came with their TVs and other IoT devices. Nor do companies always think to change the default passwords on industrial robots, air purifiers, and other equipment connected to the Internet. This kind of oversight creates a vulnerability that can be exploited by malicious cyber actors for significant attacks, some of which have demonstrated the disruptive and potentially destructive force of compromised devices.

A case in point is the Mirai botnet attack against Dyn, Inc., a New Hampshire-based Internet services company primarily known for providing DNS (domain name system) service to many well-known companies. In October 2016, the company suffered disruptions to the websites of its major customers including Twitter, PayPal, Reddit, GitHub, and Netflix. The disruptions were caused by DDoS (distributed denial of service) attacks from more than 175,000 IoT devices controlled by Mirai malware.

Mirai’s creators programmed the malware to search for IoT devices such as home routers and video cameras that had default passwords or hardcoded user names and passwords. They found thousands. Mirai then marshaled these devices into a botnet army that, when activated, generated billions of Internet connection requests to a specific target, flooding it with too many requests to handle and causing the target to shut down: a classic DDoS attack. (5)

The hackers behind Mirai made one critical mistake, however. Before they launched their attack against Dyn, they attacked the website of security researcher Brian Krebs, DDoS’ing his website with over 600 Gbps of connection requests. Krebs is one of the most highly respected experts in cybersecurity and he was not about to allow the attack to go unexplored. His analysis and perseverance paid off. He identified Paras Jha and Josiah White as the authors of Mirai. Jha, from New Jersey, and White, from Pennsylvania, used Mirai to generate business for their company, Protraf Solutions LLC, which specialized in mitigating large-scale DDoS attacks. As Krebs put it, it was like firemen getting paid to put out fires they had started. Krebs turned the information over to the FBI. Jha and White and a third co-conspirator from Louisiana pleaded guilty to the DDoS attacks and to a related click-fraud scam based on using their botnet to generate bogus advertising income. (6)

This wasn’t the whole story, however. More damage was done when Mirai’s creators released their source code, allowing other hackers to create their own versions of the malware. One variant, that caused disruption in Germany, attacked routers in which TCP port 7547 was accessible remotely. At the same time, the malware exploited a vulnerability in the CPE WAN management protocol. (7) Other variants of Mirai used similar techniques, and the source code is still “out there” in the wild, waiting for the next entrepreneurial hacker to use.

The Mirai story illustrates how IoT devices can become a strategic vector for cyber attacks. While the disruption caused by DDos attacks can be a nuisance, threats from compromised IoT devices also pose a major threat to critical infrastructure. Senior officials have for years talked about the possibility of a “Cyber Pearl Harbor” based on attacks against U.S. critical infrastructure from nation-states or other malicious actors. There is also a real threat of an IoT attack from within our critical infrastructure. The Department of Homeland Security recently issued an alert about Russian penetration of major U.S. electric power companies. In this case, industrial control systems in the grid were implanted with malware that could cause destruction, although Russian operators stopped short of activating the implants. (8)

Beyond threats to critical infrastructure, cyber criminals use IoT devices to gain access to corporate networks to steal money and data. One semi-amusing example is from cybersecurity firm Darktrace. Their CEO told a London conference in April 2018 about a casino that was hacked via the thermometer in the aquarium in the lobby. Hackers gained access to the casino’s main network through the connection to the thermometer and located the high-roller database, which they pulled out of the casino and stashed in a cloud. (9) Their ultimate goal can only be guessed at, but they clearly had a plan to monetize the data they stole.

Better Security in the Future

As bleak as the IoT security picture appears, there is hope for improvement. Driven by the growing use of IoT devices in business and industry, several techniques are being developed to prevent compromise of the devices or the networks they are on.

“Cat-M” is a new class of chipset designed for sensors running the LTE mobile communications protocol. The first 4G LTE Cat-M1 network became operational in 2017, and design is underway for Cat-M chips for 5G networks that will be up to 100 times faster than today’s 4G networks. (10) In addition, government and industry leaders are pushing for cybersecurity standards to provide a security framework for IoT devices. (11)

Other techniques address the fact that the technology used in IoT devices is less capable than that used in personal devices. For example, the hardware used for IoT devices has a small amount of processing power and can’t run anti-virus software in the background. To compensate, some companies are offering “IoT credentialing services” that provide authentication and encryption for mobile operators who remotely operate IoT devices across large enterprises and critical infrastructure. (12) Cybersecurity companies are also looking at improvements in integrating networks containing IoT devices as part of cloud-based architectures supporting entire enterprises.

So, while the future of IoT is looking better from the perspective of more use and better security, individuals and companies alike can enhance their current security by practicing the same good cyber hygiene on IoT devices as they do on their personal and work computers. Change default passwords, disable features that are not used, and disable remote access to IoT devices whenever possible unless they are covered by security technology. Implementing these minimal actions will allow people to enjoy the convenience of IoT without having to worry about potential consequences. One day, we may even be able to trust our toaster.

1 Matthew G. Devost, Brian K. Houghton, Neal A. Pollard: Information Terrorism: Can You Trust Your Toaster? (National Defense University, 2000)
2 https://www.gartner.com/en/newsroom/press-releases/2017-02-07-gartner-says-8-billion-connected-things-will-be-in-use-in-2017-up-31-percent-from-2016
3 Jeremy W. Bryans, “The Internet of Automotive Things: vulnerabilities, risks, and policy implications,” Journal of Cyber Policy, 2017, vol. 2, No. 2, pp. 185-194
4 https://www.washingtonpost.com/world/a-map-showing-the-users-of-fitness-devices-lets-the-world-see-where-us-soldiers-are-and-what-they-are-doing/2018/01/28/86915662-0441-11e8-aa61-f3391373867e_story.html?noredirect=on&utm_term=.5031c5ebf93e
5 Symantec, Internet Security Threat Report, Vol. 22, April 2017.
6 https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/
7 Ibid.
8 https://www.us-cert.gov/ncas/alerts/TA18-074A
9 Oscar Williams-Grut, Business Insider (Deutschland), 15 April 2018
10 https://www.verizon.com/about/sites/default/files/Verizon-2017-State-of-the-Market-IoT-Report.pdf
11 Business Insider (Deutschland)
12 https://www.verizon.com/about/sites/default/files/Verizon-2017-State-of-the-Market-IoT-Report.pdf

Return to our HOME PAGE.