Today, Tuesday 10 February, has been declared “Safer Internet Day” – a day for all of us to work together to “create a better internet together”.
A noble cause, and one that WeLiveSecurity strongly supports.
But you’re probably fed to the back teeth with articles from us telling you to use unique hard-to-crack passwords on all of your online accounts, to disguise your internet browsing with VPNs when using public WiFi access points, and to be wary of unsolicited emails telling you that UPS has failed to deliver a package to you and can you just double-click on the attachment to receive more details…
So, instead, we thought we would talk about something a bit different.
Because every day we are sharing tips with you about how to better secure your computers. But what’s changing is that more and more devices are, almost without many of us even noticing, sneakily having computers embedded into them. And, if you and the vendors who build them are not careful, they could open avenues for a whole new range of internet attacks.
They call it the “Internet of Things” – the myriad of so-called “smart” devices that surround us in our every day lives that are, increasingly, taking advantage of internet connectivity.
And the breadth of “things” is wide-ranging.
It seems just about everything and anything is eager to jump onto a WiFi connection – whether it be smart home thermostats, lightbulbs or ovens that you can turn on remotely as you approach your home after a long day at the office, internet-enabled fridges that can work out what needs to be ordered next from the supermarket, baby monitors, cars or even medical implants helping kick the sick alive.
More and more, you’re going to hear people talking about the “Internet of Things” (or its ghastly acronym “IoT”), extolling the virtues and advantages of having internet-enabled gadgets and gizmos filling up your house.
In some cases, of course, the advantages are dubious – for instance, the benefits of having an internet fridge have been convincingly and thoroughly debunked for anyone who spends any time thinking about it rather than being swayed by a glossy sales pitch.
But other IoT-devices could genuinely make our life that little bit easier.
A motor vehicle that can communicate with other cars to find out where the travel snarl-ups are? That sounds very useful.
Or a tumble-drier that can send diagnostic information to a customer service team about how it has gone wrong, and maybe even download a software fix, sounds definitely handy.
Or an internet router that not only helps you get on the internet, but can also download its on security updates, would surely save time and protect many.
Right now I have a letter on my desk from the manufacturer of my car, telling me that I need to ring my dealer and book and appointment to bring it in so they can apply a software patch for what sounds (to my non-mechanical ears) like a relatively unimportant technical issue.
How much better would it be if I could press a button on my dashboard and download a patch just like I can for my desktop computer? Or, even better, if the car could download an automatic patch as just occurred for two million luxury BMWs that were found to be less-than-resistant to carjacking hackers?
But there is a huge problem with many of these internet-enabled devices, whether they be cars or something else around your house or person. And the problem boils down to this: many of the vendors either know nothing about how to operate securely on the internet, or they simply do not appear to care.
The manufacturers realise that they will sell devices and gadgets based upon their ability to do funky internet-enabled things, *not* because they have been built with security in mind. After all, for most people, being told that the device has been hardened and secured to *not* do things is a turn-off, they want to know what it *can* do.
That’s why Google Nest thermostats have been hacked, LED smart bulbs can be zapped by malware, hackers can remotely frighten your baby in its cot, routers have been exploited for DDoS attacks, and expensive Tesla motor cars can have their doors hacked open.
The Internet of Things, love it or hate it, is here to stay.
You can complain all you like about devices’ lax attitude to security and privacy, but the general public are (most likely) going to go ahead and embrace these gadgets with open arms regardless. Because they’re “cool”.
If you want to do something for Safer Internet Day, make it the day that you decided to take a stand against those manufacturers and developers who fail to take device security seriously.
As many millions more devices leap onto the internet, with embedded computers inside them that can be exploited, there’s a real need to ensure that manufacturers know that we *do* demand safety and security to be built in from the beginning – not left as a hastily pushed-out patch when the inevitable screw-ups happen.
That means no more dumb “smart” devices shipping with default passwords or easy-to-guess open ports, no more software that “does the job well enough” but goes no further for protection.
Because, don’t forget, the Internet of Secure Things isn’t just going to help protect the contents of our fridge. It’s also going to protect the cars that we travel down motorways in, and the medical implants that keep our loved ones alive.
If enough care isn’t taken to ensure that they are properly secured, people’s lives are going to be lost.
You can read more about threats posed by the “Internet of Things”, as well as much much more, in ESET’s recently-published report: “Trend & Predictions for 2015″.
by Graham Cluley, We Live Security