The general assumption is that the Internet of Things (IoT) will present some pretty heavy security challenges. The short version: If telecommunications is woven so deeply into the fabric of everyday life, it stands to reason that if its security is compromised, that fabric will be torn a bit, if not ripped to shreds.
To a great extent, this has been based on theory. However, a few recent news items suggest that the dangers are very real today.
The Nest thermostat collects information as it customizes the heating and cooling of the premise in which it is located. This information could give a savvy criminal information on when the house is empty (e.g., changes in temperatures either during daily work/school routines or during vacations) and potentially allow a hacker to tap into other IoT-connected devices and the data that they hold.
Of course, criminals would need access to the premise to compromise the device, and armies of crackers aren’t likely to do that. A more reasonable danger is the distribution of second-hand devices that pass through the hands of the bad guys. And it is a danger far broader than the Nest:
But what if you were looking for a ‘good deal’ and bought your Nest off eBay, Craigslist or at a flea market? An attacker could purchase Nest devices in bulk, infect them and then sell them. There’s no ‘virus’ protection or any way to know if the smart appliance is infected. You’d have no idea there was a persistent backdoor into the Nest’s root file system; there’s no performance impact, so you might never know it was being used for remote exfiltration.
Check Point Software released news on a flaw that could cause problems in customer premise equipment such as Wi-Fi routers, VoIP phones and gateways. The focal point is the CWMP/TR-069 protocol, which is used to manage devices on the wide-area network (WAN). The past tense used in the press release is a bit scary in that it suggests that bad things may already have happened:
Researchers uncovered a number of critical zero-day vulnerabilities that might have resulted in the compromise of millions of homes and business worldwide, through flaws in several TR-069 server implementations.
Cisco, of course, has a tremendous amount of equipment in people’s homes. And, apparently, a tremendous amount of it is dangerous. Infosecurity magazine last month issued an alert focusing on a vulnerability in its wireless gateway products.
The problem, which involves the Web server used, is widespread. It affects four cable modem models and five residential gateways. Cisco claims that it knows of no exploit by crackers and that a software upgrade that addresses the problem is available.
The invasion of the forces of evil into the nooks and crannies of our everyday lives will occur over time. Indeed, it seems to be already happening now.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at [email protected] and via twitter at @DailyMusicBrk.