Security commonly takes a backseat to convenience in the real world. As a result, people have become numb to the unending cacophony of data breach news reports steadily streaming into our newsfeeds. But how lucky are current generations of people around the world to live in a time in which most people can afford to buy at least some of these new luxuries that connect to the Internet and do so many great things for us, right? How did we ever get by in life before these things were invented? What’s worse though is that we seem to be unknowingly jumping headlong into a situation that is pretty ugly, one in which we are becoming increasingly reliant on Internet speed and bandwidth but where the bandwidth is not tightly regulated by the FCC (Net Neutrality) and the few ISPs monopolizing the market can charge whatever prices they want. In fact, the 2018 FCC report showed that,
“the deployment of advanced telecommunications capability slowed dramatically” — 2018 Broadband Deployment Report
I, for one, argue that we got along just fine without having so many gadgets connected to the Internet. The ubiquity of the Internet has been spurred on by social media sites like Facebook, Instagram, Twitter, and Snapchat. I’d even go so far as to say that the world was a better place before some world leaders started using social media platforms like Twitter as an instrument of foreign diplomacy. I preferred the Internet before Net Neutrality was repealed by the FCC Trump-puppet Ajit Pai. I preferred the Internet before tech giants like Facebook, Google, Apple, Microsoft, and Amazon started tracking people online with browser cookies at an alarmingly increasing rate for marketing and third-party data broker profit purposes. The Internet is still a great thing, don’t get me wrong. But I do believe that it is increasingly becoming a cesspool of danger that is best not to connect sensitive data to.
Culture of Connectedness
It is great having so much information, entertainment, and utility at your fingertips whenever you want to access it online except for those rare times when a website is down or you experience an Internet Service Provider (ISP) outage, right? Yeah, then it’s just fucking annoying. That’s not “smart,” it’s incredibly dumb to rely on the Internet to be able to use everyday household items. My, how far we have come from the early days of home computing. No longer are the only things connected to the Internet just computers. Now so much is connected to the Internet.
Dystopia Cyberpunk Is Now
No joke. Just look at all this junk we’re connecting to the Internet. “Smart” devices as manufacturers call them. Companies marketing these shitty Internet of Things (IoT) devices don’t care about the environment, the security, or the privacy implications of manufacturing or connecting all of these devices to the Internet. It’s not just the environmental unsustainability of these products though that is a major issue that the world is just beginning to the see the effects of. It is also about security implications like vulnerabilities in Wi-Fi security standards such as Wi-Fi Protected Access (WPA), WPA2, and now even the brand new WPA3 security standard <<<see: Dragonblood>>>.
Every Device You Own is Spying on You
Let’s take a look at just a few things we’ve seen get connected to the Internet in recent times, this is not meant to be an exhaustive list by any stretch:
Amazon Echo, Google Home, or Apple HomePod — pick your data privacy poison. If you really want to pay a lot of money to have a company spy on your intimate conversations that only you should be privy to (Shhhhh! it’s always listening on as long as it is powered on), go ahead and drop some pretty pennies on the Apple HomePod. It is consistently priced along with other snobbish Apple products that cost more but actually do less in terms of functionality. Now, why you even need to connect a light bulb to the Internet is a difficult concept for me to understand and I am somewhat of a technophile which means I am a fan of most things tech. However, I am not a fan of Internet-connect light bulbs. I prefer my light to be of the generic and “dumb” variety. Instead of turning my lights off remotely through an app on my phone, I prefer to do it in person before I leave the house.
Home Security Systems
Rather than paying a monthly subscription fee to a home security system monitoring company, many people prefer a Do-It-Yourself (DIY) approach to home security systems. Personally, knowing what I’ve come to learn over the years about Internet security, just thinking about the deadbolt to my front door being remotely controllable from the Internet via a smartphone app makes me want to shove a sharp №2 pencil through my eyeball. Say no more.
I totally get that this is the 21st century and people want the convenience of being able to remotely control their thermostats. It is a revolutionary invention for sure. I am just not convinced I personally need this in my life or the security risks that come with it. Now, I am aware that with everything there is some measure of risk. People who have ADT and other types of home security systems have been had their homes broken into and the alarm systems disabled by intruders. It is usually better to employ a layered defense, in this case I mean an alarm system, a guard dog, friendly neighbors who will keep an eye on your home and call if you something looks suspicious, and home protection like (firearms or at least a baseball bat with nails spiked through it).
I get that some people want to know whether they are low on eggs while at the grocery store, so they just check their fridge app on their smartphone and have an instant shopping cart list. Cool! Still though, I’ve never needed or wanted this feature in my life. Call me an old-fashioned curmudgeon (guilty as charged), but I’d rather just write myself a list with pen and paper and take it to the store to do my shopping or even better, use my memory!
Do you need a bed/mattress app on your smartphone to tell you didn’t sleep well last night? Oh no, according to my mattress I only got 4.5 hours of sleep last night! No wonder I am so tired… What happens though when your health insurance provider and employer somehow get a hold of that same data and use it to discriminate against you in some way or charge you higher insurance premiums? Yeah, no thanks. I’ll pass on that. I see no benefit here by connecting a bed to the Internet? For what? What good will come of it? It’s similar to letting the car insurance company install a monitoring device in your vehicle to lower your premiums. A risky proposition no doubt.
Smart Toaster Ovens
I don’t know about you, but watching bacon cook in a smart toaster oven on my smartphone from the sofa in the other room is a must-have. False. That is another useless Internet-connected appliance. Maybe you have to be a foodie or a chef to appreciate such things? I’ve never met anyone who actually has one of these toaster ovens though.
Sex Toys (which leads to the next item on the list…)
Sex is such a taboo subject for many people. But I think that is absurd because absolutely none of us would be alive on this planet today if our parents didn’t do the nasty. Sex is a natural necessity whether you want to realize it or not. Get over it already, but be smart about it. Sex education is important.
Some people just have to connect every damn thing to the Internet. If Internet-connected sex toys are your thang Bae, then let’s just hope that thing isn’t hacked “during the moment” right? Who knows, maybe some folks are into that sort of thing? It’s not my cup of tea, but also know that the metadata from these toys can also be hacked or leaked when not properly secured in some online Cloud database somewhere and then posted online for the entire world to see. It is not just about physical safety, but it is also about keeping intimate activities between consenting adults private. Have fun explaining to Moms or the company you work for that Googles your name and your sex toy usage data results show up… This has probably already happened in a Judd Apatow movie now that I think of it.
Bodily harm is also a possibility though as we learned from Stuxnet and the Iranian centrifuges which operated on software that was infected and sabotaged via the Stuxnet worm. These sex toys all have tiny motors inside them that cause the enjoyable vibrations people get off on. Some of these devices have oscillating mechanical components that rotate, vibrate, and gyrate in various orifices of the human body.
Imagine malware infecting these IoT sex toy devices that leads to injuries or sex robots being remotely hacked to cause physical harm or even murder participants. It might seem like a stretch of reality right now, but it is bound to happen given time. There are some really deviant-minded people in this world. I am confident that we’ll see a Shodan search category for sex robots soon enough if there isn’t one already.
Smart Baby Monitors
Creepy stories that are the thing of parent’s nightmares. Hacked baby monitors, some which have webcams, some anonymous stranger is talking through your baby’s monitor or recording video of your baby. This has happened several times and appeared in the news on multiple occasions, but still, there are parents who continue to buy these things and connect them to their home Wi-Fi networks thinking that it will never happen to them. It’s almost like Darwinism here folks, except instead it’s survival of IoT-fittest.
Can we not just use “dumb” low-tech baby monitors as parents? My wife and I did. Even those, however, operate using Radio Frequency (RF) bands that are well-known and which can be intercepted and/or interfered with. Why do you need to buy a fucking Internet-connected baby monitor complete with a webcam? Oh, that’s right, because you can’t be bothered to go and actually check on the baby periodically with your own two eyes? As long as we have sheeple who insist on buying these shitty insecure IoT devices, manufacturers will keep making them and profiting off of them. Hackers gonna hack, but something tells me that these folks are the same types who use default passwords on their home Wi-Fi routers. These companies are using their profits to lobby politicians to not pass legislation requiring stricter IoT device security.
For some people, surgically-implanted medical devices are essential to continue living. However, the medical industry has in their infinite wisdom begun making some of these devices that rely upon Wi-Fi signals to communicate with medical providers over the Internet because nothing bad could possibly go wrong on the Internet [insert laughing at this time, ok, that’s enough, moving on]. Security vulnerabilities in these devices are discovered from the time that they are manufactured and surgically implanted in patients are not patched. To add to this threat, newly discovered vulnerabilities could enable a remote attacker to be able to take control of a medical device such as a heart pacemaker and slow down a person’s heart rate or speed it up so fast that they die. Dick Cheney knows about this cyber threat. After all, is the medical device capable of being remotely patched for newly discovered code vulnerabilities or does it have to be surgically removed and updated? If it’s the latter, OMFG! That’s not an optimal situation to be in for any patient.
Oh my Lord, how did we ever vacuum our homes without these new-fangled Internet-connected vacuum cleaners most of which cannot even negotiate terrain elevation (a.k.a., steps)? This is the ultimate in laziness and though it may be useful, I’d argue a person could do a much faster and better quality sweeping in a few minutes.
Smart TVs & Speakers
A lot of people including me have smart TVs. Like cell phones, they’ve become ubiquitous in many people’s homes. In fact, try to find a TV nowadays that isn’t a smart TV! You might have a hard time doing so. You connect them to your home Wi-Fi network and “Presto,” now you’re able to stream TV shows and movies from the Internet through service providers like Netflix and Hulu (and many more). If you’ve got a smart TV, why not also buy a soundbar or speaker system that connects with your smart TV and remote control right? I mean, the more the merrier right? Why not. It’s all fair in love and war when it comes to entertainment. Better watch out for the neighbors trying to steal your Internet bandwidth though. You might want to set up a unique and strong password on your Wi-Fi router.
Video Game Consoles
Most video game system consoles are now meant to be connected to the Internet, though they usually allow for non-connected limited play as well. This enables manufacturers to sell more video game content to players directly over the Internet to their living room and players can interact online with one another while they play. I am old now, but I still have fond memories of Atari, Nintendo, Sega Genesis, and PC games. In recent years, cybercriminal gangs, hacking crews, and even terrorist groups have used video game platform like Xbox Live chat rooms to communicate in an attempt to maintain low profiles online.
Driverless Cars (yes, that’s a thing now)
Tesla and several other car manufacturers are testing driverless cars. It is predicted that in the future these cars will be able to fly. I don’t know though, all of this seems kind of dangerous to me. These machines run on computer systems that are coded by humans. Humans are prone to making mistakes and though this technology is supposedly rigorously tested before it is implemented, we have already been witness to a few instances where driverless car accidents have resulted in human fatalities. Additionally, these Internet-connected cars have been proven to be hackable. Security researchers have caused Internet-connected cars to suddenly lock up the brakes or veer off the road. Imagine driving your family along the highway and your vehicle being veered off a cliff… Not a pleasant thought. Again, some things are better left disconnected from the Web.
Smart cities are coming. In some places, they’re already here. Los Angeles recently joined the Smart City Intelligent Internet of Things Integrator (I3) Consortium. This a major undertaking for any city and well, one can imagine the taxpayer implications of trying to make this a reality. Boy, oh boy, I bet the IoT manufacturing companies and facilitators are all over this like stink on poop. How many billions of dollars will this eventually end up costing a city as large as Los Angeles? I guess time will tell. One thing is for sure though, expect your property and sales taxes to be steadily increased to support it. I can see how in terms of city management a smart city may seem more efficient, but once you factor in the costs of implementing, maintaining, and upgrading the smart technology over time it is going to be unsustainable. Additionally, what happens when large portions of a city are affected by natural disasters like flooding or hurricanes? Smart city technology that is lost due to regularly occurring natural disasters would carry with it an astronomical cost of replacement.
I don’t know too many people who own robots, but that day is rapidly approaching where it will be a common item in most households. A robot to wash dishes, a robot to walk the dogs, a robot to clean the house/apartment, etc. How much of our day-to-day existence can we outsource to “things” or smart technology? I definitely think that there is a balance to be achieved in this process. This generation of human beings has more technology at their fingertips than any before it, yet things like physical fitness and social interaction have regressed in some ways.
Nope. Smartwatches are cool and all but they are yet another one of these IoT devices that personally I won’t buy. If you’ve ever ruined a watch after you accidentally smacked it into something like a wall or desk, then you understand the pain of having to pay to replace it. And no, I will not buy insurance for a smartwatch.
First-world developed nations are installing a mesh network of CCTV Web-based cameras that is eerily Orwellian and a total privacy nightmare. It’s already at the point where people cannot step outside of their homes without being surveilled by some camera system somewhere. These camera systems can be used to spy on people government agencies, law enforcement, and even businesses that install them. However, often they are not patched which leaves them susceptible to all manner of exploits and malware that can be used to enslave these devices in botnets that later can be used to conduct massive Distributed Denial of Service (DDoS) attacks against unlucky targets. Just look at what happened to Dyn with the Mirai botnet. Sometimes though, these connected camera systems have proven invaluable in solving crime mysteries so I do think that there is some value in having them. However, when massive swaths of CCTV cameras are combined with facial recognition software for identifying people, then I think we have crossed the line between utility and the reasonable expectation of privacy to a certain extent. This post is not so much about privacy though as it is about IoT security.
Printers/Copiers/Fax/Scanners — Multi-Functional Devices
MFDs have been around for quite a long time, but guess what? Most are connected to the Internet which makes them part of the Internet of Things. What may be even more surprising is the fact that most of these MFDs are not regularly patched or maintenanced which leaves them susceptible to vulnerabilities and present a potential attack vector for attackers.
Are you prepared for pilotless airplanes? Well, it’s coming in the future. Something tells me humans will never trust robots enough to not have a human pilot onboard the aircraft though. If the robot or computer systems malfunction, there still needs to be a person to manually override control systems and land the plane safely. In addition to robots flying/landing planes, aircraft technology is being developed that will allow planes to be remotely controlled by the year 2025.
Whoever thought it would be a good idea to connect military weapons systems to the Internet was not smart. We’ve already seen high-tech U.S. drones get hacked by Iranian hackers mid-flight as far back as 2011 (RQ-170 Sentinel stealth recon UAV) and safely land it in Iran. Recent reports have provided evidence that Iran has been able to successfully hack 7 or 8 U.S. drones that were used to conduct reconnaissance, surveillance, and bombings in Iraq and Syria (Sputnik News, 2019).
What happens when an Internet-connected fighter jet carrying a nuclear bomb payload is hacked mid-flight and diverted to a hostile nation? Is this something that every terrorist group in the world is probably having wet dreams over? I think so. Especially since the U.S. Government Accounting Office (GAO) released a scathing findings report about how easy it is to hack into U.S. Defense weapons systems. The U.S. has, as of this point in time but perhaps not for much longer, the most sophisticated and technologically advanced military in the entire world. I should know having spent the better part of my adult life serving in the Armed Forces in a technical capacity. “DoD systems are also more connected than ever before, which can introduce vulnerabilities and make systems more difficult to defend” (GAO, 2018).
The scary part of this equation is that the people conducting cybersecurity testing of these connected weapons systems are not typically technically-skilled enough to know what to look for. Some are, most are not. Been there, done that. Got the t-shirt as the saying goes. Weapon systems are under tight project time deadlines and budgetary constraints that often limit proper testing of security controls and software upgrades which is one of the reasons that nuclear missile systems are still running very old legacy software code that is very expensive and time-consuming to replace. Of course, that can sometimes be an advantage also but this is what we call ‘security through obscurity’ and it is only a matter of time before those types of insecure cloaks of invisibility are exposed and exploited.
When I worked in the Defense Industrial Base complex, it was not uncommon for me to encounter weapons systems in which the developer had simply drawn a line in the sand and said no more upgrades beyond this point in time so that they could test it and begin production. However, those same systems usually got mired in bureaucratic approval processes and so you would have this massively expensive weapon system years in the making that hadn’t been patched in several months-to-years that would be hacked in a matter of minutes once connected to the Internet where vulnerability scans are a constant occurrence. Hide it behind a firewall you say? Sure, see how that works out for you with a mobile weapon system that is often it’s own Wi-Fi hot spot.
Industrial Control Systems
It is somewhat disturbing to know that there are so many different types of Industrial Control Systems (ICS) that are connected to the Internet that are not patched regularly which means that they are totally and utterly vulnerable to several different types of exploits. There are attackers and nation-state sponsored Advanced Persistent Threat (APT) groups that specialize in targeting ICS with custom malware exploits such as Triton. Yet for some reason, we continue to think that connecting these types of critical infrastructure systems to the Internet is a good idea. Not for security reasons, but for the sake of convenience and efficiency. It boils down to efficiency concept of doing more with less. We can accomplish so much more with less if we connect everything to the Internet, automate it, and have the system event logs feed into a Security Incident Event Manager (SIEM) application that can be outsourced for monitoring.
Industrial Control Systems / Critical Infrastructure
Apparently, we did not learn our lesson with computers or the Internet of Junk, oops, I meant the Internet of Things (IoT) after the Mirai botnet Distributed Denial of Service (DDoS) attacks back in October 2016. Now there is the great Industrial Internet of Things (IIoT) which has some folks concerned about the security implications of Internet-connected devices that are used within Industrial Control Systems.
I continue to be amazed by just how many things are connected to the Internet. In our haste as a modern technological society to connect as much stuff as possible to the Web, I sometimes wonder if we stopped to consider the security implications of connecting certain things to the Internet such as Critical Infrastructure (CI) and Industrial Control Systems (ICS)? What advantage does this provide to society that is worth the immense risks of it being hacked and taken offline or bricked? I’m not a fan of Fear, Uncertainty, and Doubt (otherwise known as “FUD”), but I’ll tell you that this doesn’t seem like a smart strategy here. I wonder how well we have tested this concept.
Triton is the world's most murderous malware, and it's spreading
As an experienced cyber first responder, Julian Gutmanis had been called plenty of times before to help companies deal…
More Connected Devices = Greater Attack Surface Area
Have you ever heard the phrase, “Less is More”? One of the simplest ways to harden any type of computer system is to remove all unused/unnecessary applications. Doing this decreases the attack surface giving attackers less potentially vulnerable points of entry into a system from unpatched or unknown application code flaws. The great IoT revolution is enabling device compromise on an unprecedented, never before seen scale. It’s only a matter of time before we saw massive Internet outages due to malware-infected IoT devices whose bandwidth is harnessed by botherders to target strategic IP addresses. Dyn was epic and it was only slightly problematic. Understanding how DDoS attacks work and that they are possible to perpetrate from every one of the 7 Layers of the Open Systems Interconnection (OSI) Reference Model puts the IoT security threat into a slightly more critical context.
“I Lost My Phone!! Now What?” or My Favorite, “Oh No, We Lost Internet!! Now What?”
Oops, you lost your phone or worse, it was stolen! Now, what to do because it was the key to unlock your entire life? Hopefully, you’ve enabled screen lock, full disk encryption, and remote wipe on your mobile device if you’re not able to GPS locate it. For those who have their entire lives on their smartphones, I feel for you when that thing gets lost, damaged, or stolen. If your smartphone is your second-factor of authentication as it is for many people, that is going to make logging onto your favorite websites impossible until you can get that straightened out with a new phone and the websites in question or potentially a long wait for the police to recover your device (Hint: they probably have more important crimes to investigate). It’s not an ideal situation, so have backup codes readily available for websites you need to be able to access should your device not be available. You’ll also need to quickly change any passwords that you had your mobile device remember. Using a password manager is the perfect tool for this, but let’s hope you didn’t have your device save the master password also. Otherwise, it could be a very bad day for you.
What happens when you are so connected that nearly everything we depend on is reliant on electricity and an Internet Service Provider (ISP) who controls how much bandwidth you receive for your measly $45 a month payment? Potentially, catastrophe. All it takes for the entire Internet of Shit to come crashing down, at least temporarily, is for there to be a power outage or some type of ISP Internet outage. Those are typically rare events, but when they do happen they are sure are inconvenient right? Oops, there’s that convenience word again. Hopefully, you’ll still be able to get into your Internet-connected front door lock to toast some bread in your Internet-connected toaster oven. There is so much more I could write on this topic but for brevity sake I’ll stop here. Meanwhile, there are more and more shitty Internet-connected devices being manufactured and sold around the world. Just say no to IoT shit. For more on this subject, I recommend following @internetofshit on Twitter. There’s usually some juicy reading there. And, honestly, ask yourself next time you think about purchasing an Internet-connected device, “Do I really need this shit?” I’ll bet the answer is “No” 100% of the time. Know the difference between “wants” and “needs.”