You just bought this brand new connected vacuum cleaner, yay! And I bet that you are also very happy with your smart lock that automatically opens your door when you are standing in front of it. Pretty useful when you go back from grocery shopping, isn’t it? Well, it can be pretty dangerous too.
Have you ever thought about cyber security regarding these objects? Do you realize that smart homes are a hacker’s dream? It is time to follow the white rabbit down to its hole and learn more about the risks of IoT.
PART 1: FOREWORD
WHAT IS IOT?
IoT stands for Internet of Things. It represents a new category of objects that use network connectivity to interact with their users or even together — in that case, we speak of smart objects. The IDATE (the European digital economy think tank) estimated the number of connected objects around 15 Billion in 2017 and predicted that there would be over 36 Billion by 2030. Feeling dizzy now?
IOT AND CYBER SECURITY
When talking about connected locks, camera or even coffee machine, people usually think that those objects are some wonderful “black boxes” with advanced tech inside and that no harm can come from them. The truth is unfortunately not that pretty.
The vast majority of connected objects use widespread and well-known tech — especially by hackers. Without cyber security concerns from the companies building these products, their customers are put at risk. Examples of hacked devices include locks, cars, webcams (just watch this « Black Mirror episode »).
Have you heard about the cyber attacks against Dyn or OVH last year? Their unprecedented strength essentially came from compromised connected objects. That was the first real warning shot about the need of cyber security for the IoT.
How about collecting customers’ data? After all, everyone is doing it and it will not harm them. Plus, you can learn a lot about them and eventually make more profits.
IoT is an additional way to collect and use data. There are three different way to use it:
• Make global statistics
• Track users’ habits to sell them stuff
• Sell these data to other companies.
You must keep in mind that, unlike websites, connected devices are present around customers the whole day. Collecting data using these devices is much more thorough, so cyber security must be your top priority if you want to avoid being mentioned in anFBI warning.
PART 2: THE ENTREPRENEUR AND THE HACKER
A CONNECTED MAN IN HIS SMART HOME
Pierre Aronnax is the CEO of a startup working on IoT development in Paris. He is a huge tech fan who loves to discover new gadgets on platforms such as Product Hunt. For people like Pierre, living in 2017 is pretty much like living in the golden age of video games. Each day is a new opportunity to buy new connected stuff. What a great time to be alive!
The day starts with his mobile waking him up with music coming from the Internet. Algorithms know his tastes and enable him to discover new songs every day. He also uses its smartphone to order his coffee… directly to his brand new connected coffee machine. One different coffee each day, depending on his mood. In the bathroom, Pierre checks the weather in music while shaving. Unfortunately for him, his shower is only connected to the water supply.
When Pierre leaves home for work, his robotic vacuum cleaner will start working alone. When closing the door, there is no need to check for his keys. When he turns back home, he will rely on his mobile to automatically open the door. Same for his office’s door since he bought the same lock for both places.
Sometimes, he forgets to feed the cat before leaving. Fortunately, Pierre has bought a connected cat feeder that will give him some food and water. He can even look at its using the integrated camera. At the end of the day, Pierre will even have his coffee ready when he comes back home.
A HACKER DIVING IN AN OCEAN OF DATA
Sadly for Pierre, today is the big day. Some shady competitor has hired a hacker to put him down. The latter quickly finds everything he needs to know on the company and his CEO thanks to social networks. Eventually, he will find a badly secured online shop that has sold him a lot of connected objects. It has been child’s play to get critical information about him: address, credit card number, devices he bought, etc.
Now, where to start? First, the evil hacker has planned a robbery at his flat. All he has to do is to call a friend of his and simply ask him to do it on his behalf.
The first step is to enter the flat network. Hacking the ZigBee network of the light bulb is easy. It is connected to the wifi as well. So it is easy to use it as a spy and listen to the local network. The more Pierre uses its connected objects, the more the network is active. The data collected has given the hacker a lot of information about Pierre’s habits. Then, he knows exactly when to break in and what to steal.
Using the light bulbs, the hacker has a list of all the connected devices within the flat. From data sent and MAC address, he can guess their locations. The vacuum cleaner has helped him draft a map of the flat. Believe it or not but the hardware sends his moves using the Wifi connection! Thanks to the webcam of the cat feeder, he has learned that there is no dog inside.
LET THE PARTY BEGIN!
With all these information, breaking in the flat will be piece of cake! The lock is a simple Bluetooth device that sends data without encrypting anything. It is as simple as opening the door with a simple screwdriver! He told his friend to let the coffee machine plugged until the end. As usual, a cappuccino will wait for Pierre when he turns home so the robber will know when to leave.
Now it is time to go to his office. Guess what: it is the same Bluetooth lock! Every computer and server end up being robbed. No need to think about backups on the cloud: his competitor will not let Pierre a chance to start again. Since the thief does not need to break the door to enter, insurance will probably not cover the robbery. Pierre’s payment data will be used to buy him back everything that was robbed, including a smart TV, video games, and some expensive connected stuff. This should empty his bank account and prevent him from buying the hardware used for his startup.
At this point, all they have to do is to sell their loot on the darknet, including his business’ data. It should put an end to his projects. Everything is lost for Pierre because of his negligence regarding cyber security (and merciless hackers, of course).
PART 3: PROTECT AND SERVE
FIRST, DON’T BE THOSE GUYS
IoT devices are often built by entrepreneurs that want to quickly release the first version of their product. They do not always have the experience and maturity regarding cyber security and a lot of mistakes have already been done in the past.
Here are some examples not to follow:
1/ Several connected locks send data as clear text, including the password, allowing a hacker to listen with a simple Bluetooth device and to open it or even to change the password. Learn more
2/ Smart locks again. Some manufacturers use a unique hard coded password for all of them. Once you know it, you can open all of them.
3/ Other manufacturers include a backdoor to allow their technical team to access the device remotely for customer support. The password is hard coded and easily known. At this point, hackers only need to find a breach in the administration website to take full control of the device.
As said earlier, connected objects are built with widespread technologies, with well-known security flaws. In fact, they are often something close to a Linux server with a web interface.
When you build such devices, you MUST think about hackers. Their methods are often similar with any server: try to connect, hack the administration website and listen to communications. Once you admit that, a connected device is a server like any other.
WHAT SHOULD YOU DO?
Connected objects often come with an administration interface. Most of the time, it is web-based, so you should be as careful as you are with a website. You must also ask the user for a password during the first use of your product. The reason is that he will likely keep the default one if you let him do so.
You should particularly think about communications since this is the most common way to hack a connected object. SSL must be used every time it is possible. It is a simple way to avoid devices that listen to your communications to replay them.
Remember never to trust your users’ data. IoT interacts with the world and the users. It must not crash or have a bad behavior if it receives fake or corrupted data. To achieve that, your development team must be aware of cyber security best practices and be trained by specialists on a regular basis.
As for websites, the best way to trust your product’s security is to ask specialists to check it. You must also pay attention to the servers that will communicate with your objects. These data, valuable and personal, will be an attractive target for hackers.
Despite your best effort to have the top cyber security for your connected object, there can still be a hacker that will manage to go through. In that case, the cost for your company can be very high. The best advice we can give you is to subscribe a cyber insurance to cover the remaining risks.
Learn more about our cyber security recommendations here
When building a smart device, you may want to collect data. Today, it is a common way to work. But you must also think about your customers’ privacy. When you have personal data, you may have obligations to declare and protect them. Some country even thinks that an IP is personal data as it can be used to identify someone.
So, you should not sell them without your customer’s consent and you must be clear about what you collect. For example, an American company that builds connected sex-toys was condemned to pay 4 billion dollars because their “toys” were easy to hack and collected without consent data that were far too much sensitive…
Entering the world of IoT is a fantastic project! Smart devices are spreading at an incredible speed and we do not even realize it. To protect yourself and your customers, cyber security needs to be a major concern and an essential part of your product.
Nowadays, we hear about compromised webcams hacking other webcams, smart locks that can be easily fooled to open doors, etc. In the future, there will be far more connected devices such as toasters, cars or autonomous weapons. Thought leaders such as Elon Musk or Stephen Hawking have already warned us about “killer robots”
Smart devices can help us a lot. But we do not want them to be used against us. Popular culture brought fictional movies such as Terminator to make us reflect on the danger of technology. Could it become a reality in a near future? Hopefully, Skynet will not read this article.