The proliferation of Internet of Things (IoT) devices has allowed us to do many things we had not dreamed of. Forbes predicts that the number of these devices will exceed 11 billion by 2018, not counting phones and computers. We can now order laundry detergent with one click of a button, measure the temperature around our house, and turn on all the lights with our mobile apps, all thanks to connected devices.
The future seems bright and convenience-filled for people that know how to use technology. But if it sounds to good to be true, it generally is. The IoT case is no exception and has similar cautionary tales. As soon as your baby-monitor steals your bank information or your fridge hacks into your camera to publish your conversation online, a more sinister reality emerges. A quick search for IoT hacks on Google is enough to make you want to consider disconnecting everything from the Internet; which, by-the-way, may not be an unreasonable reaction.
As you would have guessed, with many companies offering IoT devices, the level of security offered varies widely. Most devices cannot be inspected by consumers for their stance on best practices. For example, while phone carriers insist on device certifications, the marketplace for home wireless devices has no standards and is a wild-west with no rules. Home devices are easily hacked and added to bot-nets, remote controlled groups of robot devices that are used for any purpose their masters desire. From mining for bitcoin, to launching denial of service attack against other parties on the network, these bot nets wreak havoc on the Internet every day.
Some speculate that it is conceivable that IoT based bot nets may become a factor in shutting down the Internet for the average person. Why are IoTs being targeted by hackers you wonder?
- Easy hacks as embedded devices are easily exploited (e.g., default credentials, exposed services)
- Most devices are on 24/7/365. With the power always on, they can always be targeted.
- Many manufacturers have no or low security standards. Passwords are often root:root and admin:admin and few end-users change the defaults.
- Malware can easily change default passwords, preventing a user from logging in or other attackers taking control
- Devices are rarely monitored and poorly maintained, allowing hackers to easily shut down or enslave large numbers of IoT devices
- Low cost of entry for attackers as control of thousands of devices can occur for nearly zero cost
As a device manufacturer, you can rest assured that your devices will be targeted the very second they hit the market, if not sooner. Networks are being scanned continuously and the number of malware targeting IoT devices has doubled in 2017 alone, and there is no expected change in this trend.
Easy to-be-guessed passwords aside, the main element that makes IoT devices a juicy target is that they can be updated with new software that serves a different purpose. Though in theory this is a good thing as manufacturers are able to fix problems, the issue is that the poor general security makes this rather a burden than a feature. Thus, devices that are connected to the general Internet to check for updates and communicate system statuses are also automatically connected to hackers that can attack them.
However, a new paradigm exists that allows manufacturers to remove the general Internet for this purpose from the equation. At XcooBee we are working on making special purpose SDN (software defined network) available to customers. Customers can control all traffic and endpoints, and they also have control over the address space. Such an address space can include device specific patterns. Since everything is encrypted in transit and at rest, data is not leaked. Similarly, devices cannot spoof or pretend their addresses are different, thus, the risk associated with accepting bad traffic as valid are eliminated.
For manufacturers, the ability to have their devices communicate with them over this network also shows to their customers their higher level of concern for users privacy and security.
If you’d like to explore the private network option, please contact us to participate on this exiting journey.