If you’re keeping at least half an eye on internet security news, there’s rarely a week where you don’t see an article about a website breach. Some hacker has managed to steal a website’s database full of user names, passwords, and credit card numbers. How did they do it? More often than not, they abused a security vulnerability in the website’s code. You might get the impression that most websites are less secure than they should be, and while that might not be too far from the truth, the main reason why so many sites are hacked, is the sheer number of websites on the internet.
So what can possibly go wrong with the gradual introduction and the predicted boom of the era of Internet of Things (IoT)? It will be a gigantic playground for hackers. Securing IoT devices will be even more important than securing web sites. Still, the research done by author Nitesh Dhanjani and other IoT security researchers paints a bleak picture of the future: The security of many current IoT devices is just as bad as a lot of websites’, and IoT manufacturers make the same, naive and senseless mistakes web site developers do, but the consequences might be a whole lot more serious.
While Dhanjani’s book covers a wide range of interesting topics, from baby monitors to the Tesla S, it doesn’t contain anything really new or groundbreaking – at least if you’re a little up-to-date in the field of internet security. Many IoT devices are based on the familiar client-server paradigm, which means that many of the same methods that can be used to make a website on the internet more secure can also be applied to make IoT devices more secure: Implicit trust is dumb, treating any network is insecure is smart. Open communication is dumb, encryption is smart. Simple passwords are dumb, two factor authentication is smart. Stuff like that.
The problem is that many of these fairly easy methods are ignored by many IoT manufacturers.
One thing to take away from “Abusing the Internet of Things” is this: Don’t connect all your devices to the internet. At least not yet. With websites, you should assume that the person who made it is an idiot who knows nothing about internet security. With IoT devices, you should assume that the person who made it is an even bigger idiot who, in addition to not having a single clue about internet security, also makes it unreasonably hard to update the device firmware when someone disclose a vulnerability. It must be possible to automatically update IoT devices, or we’re all doomed.
If you do connect an IoT device to your home network, at least treat it as a wide open door that anyone with a computer can use to get inside your network. And then your home.