Your IoT Devices Can Be Hacked. Here’s What We Should Do About It.
Where there is the internet, there is malware. As we start to bring connected lightbulbs, washing machines, and refrigerators into our homes, that relationship could be more dangerous than ever.
Last week, the Silex malware gave us a fresh glimpse into what it means for our “internet of things” (IoT) devices to become the target of a major attack, rendering them completely useless. Silex invisibly wipes the firmware on affected devices, not unlike what we saw with the BrickerBot attack in 2017 or the Mirai botnet, which produced record-setting denial-of-service attacks as hundreds of thousands of connected webcams, routers, DVRs, and other devices became infected. While this may not seem like a huge deal to you now, the IoT market is large and growing; in the future, as we come to rely on internet-connected devices for everything from our heat to our showers, an attack like this could be ruinous to millions of households around the world.
We’re accustomed to our computers occasionally being infected with malware, which we can usually clean up with some antivirus software. But what do you do if the virus is in your smart lightbulbs? Or your smart thermostat? We don’t really think of these devices as being “computers,” but they use operating systems just like your iPhone or PC.
Right now, there aren’t many options for consumers like you and me. It’s time to ask why.
Silex exploits devices running the open source Linux operating system, which the majority of IoT devices use. Many IoT manufacturers don’t build their own operating systems, because doing so would be expensive and time-consuming. Linux is free. It’s a no-brainer, right?
Well, not quite. The cost of “free” means manufacturers aren’t necessarily on top of their software, because they didn’t need to develop it themselves. It’s an easy solution that facilitates seven pages of “smart lightbulbs” on Amazon, many of which are from companies you’ve never heard of. Some manufacturers may not have the experience or money to configure Linux — or any of the associated software — correctly. Nor do they want to maintain their products long-term through regular software updates. Sometimes, they simply can’t update their hardware remotely due to poor software implementation, leaving thousands of devices vulnerable to attack.
Every day there’s a new connected category coming online, from fridges to stove knobs, and every device is yet another potential attack vector.
Because these devices obscure the operating system away from the user — they generally don’t have screens or keyboards, after all — it’s hard to inspect what’s going on, let alone take matters into your own hands. And while a massive company like Apple or Microsoft has a natural incentive to provide operating system updates to millions of computers around the world, it may be less clear to Generic LED Wi-Fi Lightbulb Factory why they should maintain and update the software in their particular version of Linux, assuming they even have the staff to support it in the first place.
As more of these devices come into our homes, whether we like it or not, how will we keep tabs on their behavior? It’s time for the IoT to get an old-fashioned antivirus scanner, a firewall, or at least some way to track what’s going on behind the scenes.
I’ve always wondered: Are my lights spying on me for the manufacturer, infected with a virus, or are they innocent helpers, simply doing what they’re told? I have no idea what my smart TV sends back to Samsung, nor do I really understand what Philips Hue knows about me. I’m certainly not sure if either of these devices is secure to begin with.
What can we do?
Symantec, an antivirus juggernaut, developed a physical router called the Norton Core that tried to solve this problem.
The router monitored connected devices and alerted users about problems or suspicious activity — but the company discontinued it after just months on the market due to lack of demand. (Consumers were apparently uninterested in paying a monthly subscription on top of the hardware purchase.)
The Norton Core was a good idea, too early to the market. This problem is still relatively new, and it only affects a small subset of people who have connected several devices in their homes to the internet. Even then, so few major exploits have happened — thus far — that it’s hard to justify an additional cost to protect against threats.
Eero, the Wi-Fi startup that was acquired by Amazon in 2018, offers basic features that help detect suspicious activity from smart devices and even promises that it can help prevent them from joining botnets — like the one that used millions of hacked cameras to take down websites — but it stops short of auditing the device’s traffic or checking its vulnerability to malware.
One piece of software gives me hope, however. It’s called the Princeton IoT Inspector. It’s a free, open-source tool made by Princeton researchers that helps reveal which devices are the most “talkative” on your network: There are graphs showing whether or not a device uses encryption, contacts tracking servers, and more. It almost feels like flipping a light on in a dark room.
You can’t get alerts about suspicious activity yet, but the tool does help you understand if something might be amiss behind the scenes. Before this tool, you had to rely on Samsung’s word that it wasn’t tracking your every move with its TVs — but now you can actually check.
The problem, unfortunately, is that most people aren’t going to be able to use this tool because it requires expert-level networking knowledge to set up. Many don’t know that they should care in the first place. It should be dead-easy to keep an eye on our devices and ensure they’re secure, but to get there, security features need to be built into things we’re already using.
The Google Wifi router, for example, would be the perfect place to help surface suspicious activity. It’s already in millions of homes around the world, because it’s so simple to set up and manage through a smartphone app. Adding IoT monitoring would make security accessible to people without adding an extra device or installing extra software.
Whatever the case, it’s clear that we’ll need something better soon. Every day there’s a new connected category coming online, from fridges to stove knobs, and every device represents yet another potential attack vector for malware. In many sectors, it’s becoming hard to avoid the connected option — good luck getting a TV that doesn’t connect to the internet these days — making the problem all the more dire.
The only way forward is taking control of our home networks and getting more powerful tools to help us see inside what’s happening with our devices. The question, still, is who will step up to the plate and help fix the problem.