The insecure Internet of Things

The internet is everywhere. No longer just on our phones, on our computers, the internet has expanded. Smart watches, smart tvs, smart appliances all can connect to the internet. There are even smart toys, smart shoes, smart hair staighteners. This collection is called the Internet of Things. It’s basically anything that isn’t a computer than can get online. But like all emergent techonologies, it’s got its problems. Adam Murphy spoke to Ken Munro from PenTest Partners to see how safe - or unsafe - it can get...

Ken - I've spent the last five years with my colleagues looking at Internet of Things and it's pretty bad. We've seen some horrible things happen, so we've seen people spied on through their home security cameras, we've seen bits of the internet taken down with botnets made up of compromised IoT devices. And we've also seen the start of ransomware on smart things, so maybe things like holding your thermostat to ransom so you can’t turn the heating on.

Adam - So what kinds of things has Ken broken into?

Ken - There's been some really unpleasant examples. We've seen some devices.. one was a kids’ toy called My Friend Cayla that anyone nearby, say 30-40-50 meters, could spy and listen to you and your kids in your house. And even worse, anyone could talk to your child through an innocent doll. That's pretty horrible.

Adam - But surely tech for grown ups isn't subject to this. Surely we wouldn't trade security for convenience. What could he possibly find that would do that?

Ken - The Wi-Fi enabled kettle.

Adam - Ah.

Ken - The idea was that you could connect to the kettle using an app on your phone and you could boil the water remotely. Which is great. So the idea being you wake up in the morning, roll over out of bed, press a button on the app, and by the time you get to the kitchen, you've got a kettle of boiling water, saving you maybe 30 seconds, I don’t know. So they could then join your Wi-Fi network and if you hadn't changed the administrator password on your Wi-Fi router they could intercept all the traffic you had. And that's quite nasty. So you could intercept your social media, might be able to intercept your banking. Your whole online life is now theirs. Just because you wanted to boil your water in your kettle from your bedroom.

Adam - But there were more nefarious things as well, including a pair of smart hair straighteners.

Ken - Now the reason I looked at these is because I was trying to see if there was a way that we could get the Internet of Things to set fire to stuff. Problem is, there wasn't any Bluetooth security, so we could turn the temperature up remotely and we could also tell them not to turn off as quickly as you thought. And after doing some research speaking to a fire service, they suggested that nearly 650,000 house fires are caused by hair straighteners being left on. That was quite sobering really.

Adam - And if ordinary hair straightness can cause that many fires, what could happen if people could hack into smart ones? With that in mind, is the Internet of Things all bad?

Ken - Now, don't get me wrong, I do think there's there's good use for Internet of Things. For example, in assisted living for the elderly, so they can live independently longer. I think in medical technology there's some really good smart technology that can diagnose diseases better and help us live longer. But do I really need a Wi-Fi kettle? Is it really important to me? I don’t know.

Adam - How do you tell a good device from a bad device then?

Ken - Everyone asks me this and I have to say, hand on heart, I can't tell you. But by and large, the bigger, better known brands are better at dealing with vulnerabilities when they're found. The problem is, it’s the smaller brands aren't so well-known, they're probably a first product to market, a startup, and if something's found, they'll run out of money by recalling or repairing a product. So by and large, I’d say err towards the bigger, better known brands because they're more able to fix the problems. But if you were into a shop to ask me which product better than the other, I couldn't tell you.

Adam - How does a good hacker, also known as a white hat hacker, go about doing this ethically?

Ken - What we don't do is we don't go and find vulnerabilities and tell the world immediately because that wouldn't be fair. It wouldn't be fair on us the consumer to all of sudden have someone hack our stuff. So what we do is we report it privately to the manufacturer. We tell them about it, we tell them what's wrong. All for free. Don't charge them a penny. Tell them what we think they should do and then ideally what they do is they fix it, they send us an update saying ‘look think this fixes it’, we check it and then they update their customers and then they tell the market. But what often happens is we get stonewalled. A lot of manufacturers don't take kindly to people telling them the stuff that’s wrong with their products. They try to ignore us. And that's when things get really awkward for us because we've got people buying the product, we've got people using the product that we know is insecure. So at what point do people need to understand there's a problem, that they need to seriously reconsider whether they use the product? And that's often when we’ll go and ask for help from journalists or sometimes government agencies that can help us make these companies listen. Because last we want to happen is for people to be hacked. We want them to be safe. We're the good guys out there, right?

Adam - And what should us ordinary people do?

Ken - Make sure your app is completely up to date. Make sure you got the latest updates and make sure the app is able to update the product as well. Sometimes you get what are called “firmware updates” in the app, the phone then pushes those updates through to the smart product to keep it secure.

Adam - And what are Ken's final words on the Internet of Things?

Ken - Do you actually need to connect your fridge to the internet? Where's the benefit from being able to tweet from your refrigerator? So do ask if you actually need this thing or is it just a gadget that you want to have a play with and you'll probably forget about in six months time. That's really really important. If you don't need it, don't pay the extra for it. You do also have the option of not connecting things. A lot of smart TV is like to be connected to the internet but you can not do that. You can not connect your washing machine to the Internet. That's kind of a good thing to do. Yes, even if it does come with connectivity, ask yourself if you really need to hook it up. Because that way you're breaking the link between the hacker and your stuff. That's a really good spot.