The Internet of Every Damn Thing

Originally posted by Tech Republic.

The Internet of Things is loosely defined as devices other than a computer that can connect to the internet, and these days, that includes everything from a Fitbit to a fridge.

Much like the internet itself, IoT devices are amazing tools to make us more efficient and healthier, and while they generally make our lives easier, they also open up possibilities to frustrate, annoy and confuse us.

When you consider the applications of the Internet of Medical Things, for example — doctors monitoring their patient’s vital signs in real-time or adjusting medication on the fly — it’s natural to wonder at the marvels of our modern infrastructure. Then you go to fill up your car and suffer through a blaring ad on the tiny, scratched screen of the gas pump, and in-between fantasies of taking a sledgehammer to it, you wonder why humanity ever developed this scourge of modern life.

It all started with a cold drink

Long before the internet became the cause of and solution to all of life’s problems, in the early 1980s a computer science professor at Carnegie Mellon discovered a vending machine that could connect to ARPANET. Tired of schlepping all the way to the machine from his office only to discover it empty — or worse, stocked only with warm soda — he and a couple of students wrote a program that would report the contents of the machine and whether the cans had been there long enough to become cold from the machine’s refrigeration. Thus the very first IoT device was born.

From this inauspicious beginning, a phenomenon was born too. According to Statista, as of 2022, there were an estimated 13.14 billion IoT devices connected to the internet, with projections for a total of 29.42 billion by 2030.

Lurking in the shadows

Along with the rise of IoT devices, there has unfortunately been a rise in cybercriminals using them as an attack vector. The nature of the devices themselves makes them an attractive target: They are designed to be very easy to install, which means a user can just point them to a network and IT is none the wiser.

This is so common that there is a term for it: Shadow IoT. In one study by Infoblox, 80% of IT leaders found IoT devices on their networks they didn’t know about.

It doesn’t help that the manufacturers often take a very loose approach to security. Patches and firmware updates are slow to be released, if they come at all. Most IoT devices do not have a mechanism to check for and install regular updates. Even worse, many devices come with standard administrator logins that don’t require you to ever change the password.

Given all that, it’s not surprising that these devices have been at the center of many data breaches.

Brute force, botnets and API calls

IoT devices are an especially attractive target to create a botnet for a Distributed Denial-of-Service attack.

The Mirai malware was created for exactly this purpose in 2016. It scanned the internet for IoT devices that run on the ARC processor (1.5 billion devices as of 2014) and then tried a brute-force attack with a database of common factory default credentials. Once it was in, the device continued to function normally — thus hiding the exploit — but was subject to control from a remote targeting server. It was most notably used to take down DNS provider DYN, which impacted Amazon, Github, HBO, Netflix, Reddit and more of the internet’s most well-known destinations.

In 2021, several users of Western Digital’s My Book Live suddenly found their storage partitions wiped, which in some cases erased years of data. The root cause was an exploit in the REST API that allowed unauthenticated remote command execution. This exploit had been reported three years earlier, but it was met with a shrug from Western Digital because the devices were no longer supported.

Security cameras in several Tesla warehouses that belonged to a start-up security company called Verkada were also accessed. I will not use the word “hack,” as that would give the bad actors a little too much credit, since it turns out they found those administrator credentials publicly online. This gave them access not only to Tesla, but also to several other well-known companies’ security feeds and full video archives — including Equinox and Cloudflare.

Who watches the watchmen?

Although these data breaches have attracted the attention of regulators and professional organizations, any changes in legislation may come too late to prevent the next botnet or API exploit.

Given the broad scope of these breaches, and the attractiveness of IoT devices as targets, should you run home and unplug every smart device you have? Not necessarily, but the most important takeaway here is that the onus of security is on you as the end user.

Denny LeCompte is the CEO of Portnox.