Opinion: the growth in connected devices in our homes is causing increasing
safety and security concerns
By
<https://www.dkit.ie/regulated-software-research-centre/contact/meet-team/dr
-gilbert-regan> Gilbert Regan, <https://www.dkit.ie/> Dundalk Institute of
Technology
We live in an increasingly interconnected world. It is reported that the
number of connected devices will
<http://technology.ihs.com/596542/number-of-connected-iot-devices-will-surge
-to-125-billion-by-2030-ihs-markit-says> increase by 12% per year, from 27
billion in 2017 to 125 billion in 2030. In our smart homes, it is not just
our computers and mobile phones which connect to the internet. Fridges,
ovens, cameras, speakers, thermostats and lights can be connected so they
can act upon your command and/or send you information. Even if connected
devices don't interoperate, they can be on the same network and so affect
each other.
The range of smart devices continues to grow. An American company has
developed a <https://www.cookinggizmos.com/smalt-smart-salt-dispenser/>
smart salt dispenser with a Bluetooth speaker and mood light. This dispenser
is also compatible with Amazon Alexa and even allows you to dispense salt
using a smartphone.
But this growth in device connectedness is causing increasing safety and
security concerns because these devices are generally not well protected. It
is the connecting of these devices that makes them so vulnerable. For
example, a hacker could possibly gain access to your smartphone through your
smart salt dispenser because they are connected.
<https://www.goodreads.com/review/show/2501832155> Anything connected to
the internet can be hacked, and, as everything is getting connected, this
means that everything can be hacked. There are numerous examples of hackers
downing networks, crippling infrastructure and even putting human lives at
risk, including the
<https://www.csoonline.com/article/3258748/the-mirai-botnet-explained-how-te
en-scammers-and-cctv-cameras-almost-brought-down-the-internet.html> Mirai
Botnet and
<https://www.csoonline.com/article/3227906/what-is-wannacry-ransomware-how-d
oes-it-infect-and-who-was-responsible.html> WannaCry attacks. In 2016, the
Mirai malware caused infected computers to continually search the internet
for vulnerable devices and then use known default usernames and passwords to
log in and infect those devices with malware.
The WannaCry attack in 2017 encrypted computer data making it impossible for
users to access that data and then demanded ransom payments in order to
decrypt the data. The attack was estimated to have affected more than
200,000 computers across 150 countries, with total damages ranging from
hundreds of millions to billions of dollars. The NHS in England and Scotland
<https://www.bbc.com/news/technology-41753022> may have had up to 70,000
devices infected, including computers, MRI scanners and theatre equipment.
There are a couple of technical reasons why connected devices are generally
not well protected. Connecting devices increases the number of different
points where an unauthorised user can try to enter data or to extract data
from a network. This increased attack surface increases the likelihood of a
vulnerability being exploited. Another reason is that manufacturers don't
always know in what configuration or in what environment their device will
be applied. This makes it difficult for development to ensure safety and
security when their devices are connected to devices from different
manufacturers.
An insecure internet can be in the interests of both governments and large
corporations
There are also business-related reasons for insecure connected devices.
First, there is the quality, cost and time to market triangle. The growth in
connected devices comes from manufacturers wanting to achieve a competitive
edge. Achieving a competitive edge in a fast moving market usually means
attaining the goals of being "early to market" and "reasonable cost". This
means that quality around safety and security is not always to the fore when
developing internet enabled devices.
A more sinister reason for the insecurity of connected devices is that an
insecure internet can be in the interests of both governments and large
corporations. Corporations such as <http://facebook.com/> Facebook and
<http://amazon.com/> Amazon offer secure platforms as long as it is not
secure from them. They collect and store your personal data, and then infer
your likes, dislikes, interests and so on, in order to direct personalised
adverts. This surveillance data underpins the business model of the
internet.
In December 2018, an
<https://www.nytimes.com/2018/12/18/technology/facebook-privacy.html>
investigation by the <https://www.nytimes.com/> New York Times showed that
Facebook shared access to users' data with other tech firms, including
Amazon, <http://apple.com/> Apple, <http://microsoft.com/> Microsoft,
<http://netflix.com/> Netflix, <http://spotify.com/> Spotify and
<http://yandex.com/> Yandex. Examples given included allowing other
companies to read users' private messages and to see the names, contact
details and activities of their friends. Damian Collins MP, chair of the UK
Parliament's Digital, Culture, Media and Sport Committee,
<https://www.bbc.com/news/technology-46618582> told the BBC that Facebook
"do reward companies with access to data that others are denied, if they
place a high value on the business they do together. This is just another
form of selling"
Similarly, it can be in government interests (think national security
agencies) to have the ability to break into "securely" connected devices.
They can use spyware to spy on journalists, political activists and
opponents among others, mainly for reasons of social and political control.
In extreme cases, governments such as China use social media platforms to
<https://www.rte.ie/brainstorm/2018/1211/1016480-is-your-social-credit-posit
ive-or-negative/> spy on its entire population. Perhaps more worryingly,
governments have been accused of cyberwarfare. In 2018 the US and Uk
governments
<https://www.ncsc.gov.uk/news/joint-us-uk-statement-malicious-cyber-activity
-carried-out-russian-government> claimed that the Russian government was
exploiting network infrastructure devices, such as routers, to lay the
groundwork for future attacks on critical infrastructure such as power
stations and energy grids.
The danger of interconnected devices is recognised by the European Union who
fund research projects aimed at finding solutions to the technical problems,
including <http://deis-project.eu/> Dependability Engineering Innovation
for Cyber Physical Systems. Involving <https://www.dkit.ie/> Dundalk
Institute of Technology and <https://www.lero.ie/> Lero, it aims to develop
a solution for improving the safety and security of systems or devices
connected over the internet.
<https://www.dkit.ie/regulated-software-research-centre/contact/meet-team/dr
-gilbert-regan> Dr Gilbert Regan is a postdoctoral researcher at the
Regulated Software Research Centre at <https://www.dkit.ie/> Dundalk
Institute of Technology and at <https://www.lero.ie/> Lero, the Irish
software research centre
