The "Internet of Things", phrase used when a ordinary "dumb" device is connected to the internet to make it a "smart" device. From coffeemakers, and lightbulbs to door locks and heat pumps. For some more examples of existing IOT products have a look here. While controlling some things of your daily life remotely over the internet seems convenient I see it as being a gimmick with huge security and privacy issues. So I write this blogpost outlining how IOT can be abused and show some examples where it already has happened in the past.
Baby monitors and security cameras
More and more stories are popping up of parents finding out that people have been watching and talking through internet connected baby monitors. A recent security study discovered a severe lack of security in all the models they tested.
So you want some cameras, either for security or just to see who is at the door but you think it is interesting to see the video feed while you are at the office. The following scenario might be unlikely to happen but that doesn't meant it won't. You now provided a video feed where someone can remotely track people coming and going form your house and analyse your behaviour. A skilled hacker could even program motion detection for the video and timestamp any activity. No more stake outs targeting one location at a time. Just a computer monitoring hundreds of camera feeds, discovering patterns in your lifestyle and determining the best time for breaking in. A semi digital organised crime.
What about some other damage that can be done remotely. While you may think it to be convenient to turn your heat pump on 30 minutes before arriving home, a hacker could do the same. How are you going to explain to the power company that it wasn't your doing that the heat pump was on while you where on holiday?
Is it worth it?
Is it really important that you have a mattress liner that records your sleeping habits in the cloud, or being able to turn your coffee machine on while you're in the bus on your way home? Software security is not easy. Therefor we can't rely that every IOT product we buy will have strong security measures in place. With every added device you provide a new attack vector into your private life.
Tips for IOT devices
If you do use or plan to use internet connected devices I have a few tips for you:
George Timmermans, Research Toolmaker, Software Engineer and Tinkerer