Ubiquitous hacking and its real-life impact

Do you recognize yourself in the following examples?

As a safety-conscious homeowner, you have installed IP-cameras inside and outside your home to protect your family from burglars. Yet tech-savvy hackers or even script-kiddies could crack your home security system and use it against you. They could spy unnoticed and stake out your property, breaking in when nobody is home.

Additionally, these insecure and hijacked IoT components could be integrated into a botnet, which might then be used to attack and take down third-party servers by flooding them with traffic. So a smart fridge in the US or an IP-camera in Russia – among a myriad of globally dispersed devices – could be used by some cracker to attack a server in China or elsewhere. If not used for malicious attacks, certain components with enough processing power can be incorporated into crypto-mining botnets, while you pay the bills for the increased energy demand.

As a digitally adept parent, you decide to use a smart baby monitor with audio and video to check on your kids at night, instead of a simple audio baby monitor. Do smartness and connectedness equal more security? In the worst case scenario, not only you as parents can watch your kids, but some random person could tune into a live-stream on the internet or darknet.

This dramatic example obviously doesn’t only affect baby monitors, but all kinds of devices, including home assistants, smart mirrors and other camera or audio-equipped systems that you might use at home. Exfiltrated private audio or video data could be used for blackmail or disseminated on the internet.

As a frugal or environmentally conscious homeowner, you might decide to decrease your ecological footprint and minimize your utility bill by using smart metres, smart thermostats, smart lights or smart faucets. Besides wired systems such as KNX, there is a multitude of wireless standards for building automation such as Wi-Fi, Z-Wave, ZigBee and many others. Unfortunately, there is also a multitude of exploitable vulnerabilities in these systems and standards, which is why no system can guarantee absolute security. Due to that fact, there have already been successful attacks on home grids resulting in blackouts.

Bearing these examples in mind, it becomes obvious that successful attacks have far-reaching consequences, such as a loss of privacy, or functionality issues with the smart components within your home network. One weak link such as an unpatched or generally insecure component could be the entry point to the entire connected home system. The consequences of a virtual attack on your cyber infrastructure might have serious implications on your offline life.

Importance of good security practices

Due to that fact, it is of paramount importance that everyday users, facility managers, developers and other responsible people keep an overview of the components being used. They have to know the communication standards, monitor vulnerabilities, engage in diligent patch management and cease usage as soon as a component is no longer supported. But first and foremost each decision-maker has to consider if an additional smart and connected device is truly necessary.

So if you want to profit from the advantages of smart living, you have to start to treat your property like a computer. Smart components in the IoT might differ from conventional laptops and computers with regards to their architecture, operating system, programming, memory and processing power, yet they all share commonalities in their underlying principles.

In consequence, some attack vectors and vulnerabilities within software as well as hardware might be exploited in a similar manner. It doesn’t really matter if you exploit common issues in C code on a smart device or on an ‘old-school’ desktop computer. Additionally, many components in the Internet of Things, smart or dumb, do not have adequate protection with firewalls or anti-malware, which makes them easy prey.

Users should not buy the cheapest devices, and should demand proper maintenance. Furthermore it might be a good idea to completely separate the networks of smart devices and critical devices, such as computers, home servers, network attached storage (NAS) and phones that hold critical private data.

Patching is a tremendous issue, since administrators of large smart properties or connected infrastructure cannot simply remote patch a system and reboot it after a successful update, because there might be vital systems running. Just think about critical infrastructure such as traffic lights, security systems in a prison or airport, medical devices in a hospital and others. Patching lies in the realm of the end-user.

The more systems are used, the more they have to be patched and updated. In consequence, end-users and entities alike have to cope with more complexity, which will require user-friendly solutions without causing any real-life problems. I cannot emphasise the importance of diligent patch management, security advisory monitoring and incident management enough.

Despite continuous advancements in hardware, software and networking standards, it is certain that new vulnerabilities will be discovered and exploited in future. Nevertheless, one should not simply condemn these technological developments, which would be overly binary and ignorant. Instead, one should become aware of the risks, develop mitigation strategies in case of a successful attack, diligently select quality devices, and pay attention to software and hardware maintenance, patch management and additional protection.