The Internet is abuzz about rampaging dishwashers, belligerent air conditioning and rogue vacuum cleaners. It’s not marketing for a new sci-fi movie. A security vulnerability was recently discovered in LG’s SmartThinQ automation protocol, which could have put millions of household appliances under hackers’ control.
SmarThinQ was designed to allow for homeowners to control various appliances via smartphone and voice integration with digital assistants like Amazon Alexa or Google Home. The feature was baked in to the majority of new LG washers, dryers, refrigerators, ovens, and robotic vacuums.
A third-party cybersecurity solutions provider, Check Point Software Technologies Ltd., identified the problem. A vulnerability allowed an attacker to create a fake account on the LG site, which could then be used to gain control of all of a customer’s smart appliances.
Although some were nonplussed by the threat of remote laundry infiltration, commentators were quick to point out what was at stake. For example, the cameras enabling automatic vacuums to steer around household objects could easily become a source of remote surveillance. With over 1 million HOM-BOT vacuums sold, it made for a lot of possible digital spying.
LG Electronics responded quickly to the alert, remotely updating the framework. Koonseok Lee, manager of LG’s smart development team, said the company worked with Check Point to “run an advanced rooting process designed to detect security issues and immediately began updating patch programs. Effective September 29 the security system has been running the updated 1.9.20 version smoothly and issue-free.”
It’s a happy ending in this case. Unfortunately, such threats—and worse—are becoming an ever-larger part of the exciting but sometimes scary IoT future we are now entering.
For instance, Shodan, a search engine of vulnerable web cams, returned a globe’s worth of real-time video to journalists investigating it, from shots of empty yards to babies asleep in their cribs. And it is just one of the many surveillance-related security lapses to hit the news. Even a smart thermostat from Nest was found to be hackable within 15 seconds if physically accessible, after which it could be used to spy, steal credentials, or infect other appliances.
As upsetting individual, home-targeted hacks may be, there is wider sphere of IoT security problems that deserve attention. Security issues have been identified in police body cameras, medical devices, automated cars, and industrial command-and-control sensors.
As far back as 2013, it was reported that Dick Cheney disabled the wireless capability in his pacemaker so it wouldn’t be available for terrorist assassination plots. Since then, the potential vulnerabilities in the healthcare sphere alone have been mounting. Experts working about bad actors hacking defibrillators, insulin pumps, and MRI machines to increase dosages to fatal levels, disrupting critical care across entire hospital systems, or tapping minimally protected health monitoring apps to steal valuable personal information.
Sadly, most IoT companies are notoriously lax on security. Vendors often cite devices’ limited onboard storage and cost concerns, as well as market pressure to create and sell a minimum viable product, as reasons they cannot beef up protections. And until recently, many assumed that devices operating behind a corporate firewall—some 95% of the market—were safe.
They are not.
This was proven beyond doubt in February when Windows Trojan was found to penetrate corporate networks, search for connected devices behind the firewall, and then deploy the Marai bot aimed at Linux-based IoT devices. It was used for some of the largest denial of service (DDoS) attacks this year.
Looking at future threats, Arbor Networks discusses recent cross-pollination of DDoS malware and ransomware to predict “multi-stage ransom attacks against corporations using a combination of external DDoS attacks and internally launched DDoS attacks using IoT devices which are already inside the target networks.” At present, these would likely be devastating, as internal resources, including data centers and WAN/LAN infrastructures, are generally not protected against DDoS attacks from the inside.
Manufacturers and regulators are working to address IoT security, but the industry remains the Wild West in many respects. This puts it in all our hands to make good decisions about how we bring IoT into our lives and businesses, issues we’ll discuss in forthcoming posts.
Chris Adams is President and COO of Park Place Technologies. Contact him at email@example.com.