In the past few years, we’ve witnessed the proliferation of IoT also known as Internet of Things, or “Smart” devices. These devices range from personal assistants such as Amazon Alexa or Google Home to devices that serve no real use such as WiFi-enabled “Smart Refridgerators” and “Smart Toasters.” There’s even the infamous smart bag-squeezer Juicero which – thankfully – failed spectacularly.
With all these new “Smart” devices making their way into the consumer home, they bring with them a massive amount of privacy and security concerns. Some devices may be configured intentionally to spy and gather data about you, to be used for who-knows-what later. Other devices may be unintentionally configured to be insecure, with their ability to connect to the internet being a weakness that allows others to hijack control of them and incorporate them into their botnet or invade your personal life.
And you thought someone watching your webcam was scary.
The Problem with IoT
The truth is that not everything needs to be connected to the internet or a “smart” device. Sure, a smartphone or smart TV might not seem too extraordinary, but why in the world would you want a WiFi-enabled Toaster? Who in their right mind would actually use a smart refrigerator to check the weather when they could just check their phone? There are far too many of these new, shiny, internet-connected devices being created without a non-redundant, real and practical purpose.
IoT devices are also commonly misconfigured and run very vulnerable, outdated versions of embedded software systems. Many of these systems are some variation of Linux with the default username and passwords intact. Although many products recommend that users change the default credentials they come with, very few actually do. Other products don’t even have the option to change their default credentials and require a bit of technological expertise if you want to change them.
Needless to say, leaving a home device with default credentials still configured is a very bad idea. For example, what if that device was an indoor security camera or even the infamous baby monitor? What if it was a smart lock on your front door? How can you be sure that Alexa isn’t recording everything you say? How can you tell that your cameras haven’t been compromised by a script kiddie, potential blackmailer, or even a vengeful ex? Can you even trust the company that made the product? How do you even know if Google is any more trustworthy than an unknown Chinese company with an unpronounceable name?
Some devices are incorporated into large botnets, which are then used to perform DDoS attacks and distribute spam emails. Some can even be configured to mine cryptocurrencies such as Bitcoin and Monero at the expense of your power bill.
There’s no real off-the-shelf solution to secure all of your IoT devices. Rather, consumers should use common sense when purchasing and using these new devices. Change the passwords of any new smart device you purchase, this will make it drastically harder to hijack and may force any would-be attackers to move on to a more vulnerable device. Avoid purchasing any IoT devices that don’t allow you to configure their security settings, unless absolutely necessary – in fact, avoid purchasing any unnecessary IoT devices in general.
The Internet of Things is a great concept in theory – an interconnected world of smart devices that can predict and attend to your everyday needs and make your life easier. However, the real world is far less ideal and not only are smart devices a major privacy concern, but they are also quite useless in most contexts. To this day, I still have yet to find a use for a “smart” toaster other than remotely heating slices of bread.