The Hidden Side of the Internet of Things (IoT)
How to protect your data privacy in unprecedented times
Digging in
Imagine walking into your home after a long day. With just a simple voice command, your lights dim, your favorite playlist starts, and the thermostat adjusts to the perfect temperature. Your home has become your personal assistant, powered by the invisible magic of the Internet of Things (IoT). From smart refrigerators to wearable health trackers, IoT devices are seamlessly integrating into our daily routines, offering unprecedented convenience and efficiency.
But beneath the surface of this technological marvel lies a darker reality. Each of these devices, while making our lives easier, opens up a doorway for hackers, data thieves, and malicious software. Every smart speaker, camera, and thermostat that we welcome into our homes also invites risks we fail to consider. With billions of IoT devices connected globally, the very technology that powers our modern conveniences can also turn our personal lives into a playground for cybercriminals.
In an age where privacy is more fragile than ever, understanding the security vulnerabilities of IoT devices is no longer optional, but essential. This project will take you through the rise of IoT devices, popular usages and even more popular vulnerabilities, revealing the unseen threats lurking behind the smart gadgets we trust.
Together, we can strive for a future with more transparency and privacy and that starts today! By confronting the privacy risks the IoT devices pose, we will be able to protect our privacy better with mitigation strategies and prioritizing products with reputable credentials.
2020 Unit 42 IoT Threat Report 2020 Unit 42 IoT Threat Report. (2020, March 10). Unit 42. Retrieved October 23, 2023, from https://unit42.paloaltonetworks.com/iot-threat-report-2020/
National Institute of Standards and Technology. (2020, March 01). Digital Identity Guidelines. NIST. https://pages.nist.gov/800-63-3/sp800-63-3.html
The State of Password Security 2023 Report. (n.d.). Bitwarden. Retrieved December 5, 2023, from https://bitwarden.com/resources/the-state-of-password-security/
The Rise of the Internet of Things
The number of IoT devices worldwide will surpass 64 billion by 2025.
Tech Report https://techreport.com/statistics/hardware-gadgets/internet-of-things-statistics/
From a simple doorbell to the infrastructure of an entire city, IoT has emerged as one of the most pivotal technologies of the 21st century. With projections indicating that the number of active IoT devices will exceed 64 billion globally by the end of 2025, and with continuous growth expected, IoT has transformed modern societies by offering unprecedented convenience and efficiency.
In particular, smart home IoT devices are highly susceptible to security threats. Unlike traditional computer software, smart home IoT devices often lack standardized updates and upgrades, creating a very insecure and vulnerable environment within households.
We know all about the smart doorbells, televisions, watches and thermostats. To reiterate the growth of IoT devices, I want to introduce some devices that blow my mind that are IoT enabled. Some crazy IoT Devices include:
Smart Kitty Litter Boxes: automated devices designed to simplify the maintenance of a cat's litter box. They come equipped with many features including automatic cleaning, odor control, and health monitoring. Absolutely shocking and retails for only $700.00
Smart Toilets: If bidets were not enough for you, just buy yourself a smart toilet. With heated seats, auto flushing, bidet and a warm dryer you almost forget that the toilet is collecting data about you every time you use it!
Smart Toaster: Have you ever wanted to remotely toast your bread from the living room couch? Now you can with a smart toaster! A high-tech gadget designed to make your mornings effortlessly perfect. They come equipped with features like precision toasting, customizable browning settings, and even app controls.
The Oura Ring: Sleek wearables designed to turn you into a sleep and fitness ninja. They come equipped with features like sleep tracking, activity monitoring, and heart rate analysis, all while literally being a ring. The Oura Ring also tracks women's menstrual cycles so precisely it is on par with birth control at a 98% success rate.
Smart ToothBrush: futuristic brushes designed to turn your dental hygiene into a high-tech adventure. They come equipped with features like app connectivity, brushing technique feedback, and even gamified brushing goals. They also can send all this data to your dental hygienist, so no more lying about brushing twice a day everyday!
Essentially, the point I am trying to get across is that IoT is absolutely everywhere and that all of these devices introduce a new set of risks into your life and into your home. In the next section, we'll be going over a couple cases where vulnerable IoT devices that were intended to introduce a new layer of convenience or safety into consumers lives actually did the complete opposite!
Caitlin Rozario, “10 Weirdest IoT Enabled Devices of All Time | Metrikus,” accessed October 10, 2024, https://www.metrikus.io/blog/10-weirdest-iot-enabled-devices-of-all-time.
Photo by Shubham Dhage on Unsplash
Photo by Shubham Dhage on Unsplash
Photo by Andrew Valdivia on Unsplash
Photo by Andrew Valdivia on Unsplash
Photo by Jerry Kavan on Unsplash
Photo by Jerry Kavan on Unsplash
The Problem
Vulnerabilities of IoT Devices
Who even wants my data?
One question that always arises with consumers is that they fail to understand that data and information is a much greater asset to organization rather than their transaction. Many people have the argument who would even want my information.
Tech Companies
Tech companies stand to gain significant benefits from voice assistant data, including improved AI and product capabilities that can lead to increased market share and revenue. The valuable consumer insights gleaned from this data drive product development and enable more effective targeted advertising.
Third-Party Vendors
Third-party vendors, such as advertisers and data brokers, can leverage voice assistant data to deliver highly targeted ads, gain consumer insights, and provide analytics services to businesses. This data allows them to improve ad effectiveness and ROI.
Cybercriminals
Cybercriminals, while not legitimate stakeholders, have economic incentives to illicitly access voice assistant data. They may attempt to use this information for identity theft, fraud, or extortion.
Vulnerability Types
Weak Passwords: Many IoT devices come with default usernames and passwords that users rarely change. This makes it easy for attackers to gain unauthorized access. Imagine leaving your front door key under the mat, that’s what a default password is like for hackers.
Lack of Encryption: Encryption ensures that data sent between your IoT device and its server is unreadable by anyone else. Unfortunately, many IoT devices transmit data without encryption, making it easy for hackers to intercept sensitive information.
Poor Device Management: Users often lack the tools or knowledge to effectively manage their IoT devices, such as monitoring activity or detecting unauthorized access. Without proper management, devices are left vulnerable, similar to not having a security system in your home.
and so many more...
Reference: “OWASP Internet of Things Project - OWASP,” accessed October 10, 2024, https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Top_10.
Google Nest Case Study:
Google Nest is a line of smart home IoT devices that are susceptible to IoT attacks, with sniffing being one of the most prevalent. Sniffing involves monitoring network traffic, which, if unencrypted, allows capturing sensitive information, thereby compromising confidentiality and privacy. In a study by Acar et al., researchers found that a malicious attacker could identify 90% of a smart home’s IoT device states and actions through passive sniffing. Shockingly, nearly 98% of all IoT devices transmit unencrypted traffic, making them highly vulnerable to such passive attacks. In one instance, a Google Nest camera was hacked, enabling the attacker to access live stream video footage of a family's child and subsequently attempt to extort the family with threats. To enhance security, an ideal smart home IoT device should encrypt all video footage, ensuring that only authorized users have access.
Rapid7. (2015, September 29). HACKING IoT: A Case Study on Baby Monitor Exposures and Vulnerabilities. Kaspersky. Retrieved December 5, 2023, from https://media.kasperskycontenthub.com/wp-content/uploads/sites/63/2015/11/21031739/Hacking-IoT-A-Case-Study-on-Baby-Monitor-Exposures-and-Vulnerabilities.pdf
Nakutavičiūtė, J. (2018, December 18). Hacker terrorizes family by hijacking baby monitor. NordVPN. Retrieved December 5, 2023, from https://nordvpn.com/blog/baby-monitor-iot-hacking/
Mirai Botnet
The Mirai Botnet Attack was a major security breach that exploited vulnerabilities in IoT devices. This attack primarily targeted devices with weak or default passwords, turning them into part of a massive botnet used to launch distributed denial-of-service (DDoS) attacks. Mirai worked by scanning the internet for IoT devices using default credentials, infecting them, and then using these compromised devices to flood targets with traffic, causing severe disruptions. One significant incident involved the attack on Dyn, a major DNS provider, which resulted in widespread outages for many popular websites, including Twitter, Reddit, and Netflix. This attack highlighted the critical need for stronger security measures in IoT devices, such as robust password policies and regular firmware updates to prevent unauthorized access and exploitation.
CloudFlare. (n.d.). What is the Mirai Botnet? Cloudflare. Retrieved December 5, 2023, from https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/
Center for Internet Security. (n.d.). The Mirai Botnet – Threats and Mitigations. CIS Center for Internet Security. Retrieved December 5, 2023, from https://www.cisecurity.org/insights/blog/the-mirai-botnet-threats-and-mitigations
Protect Your Data!
Photo by Lucas van Oort on Unsplash
Photo by Lucas van Oort on Unsplash
Change Your Default Passwords
Don't make it easy for cybercriminals to access your devices. Use strong, unique passwords for each of your IoT devices and change them regularly. The simplest solution is usually the most effective!
Photo by Dayne Topkin on Unsplash
Photo by Dayne Topkin on Unsplash
Do not share data when not necessary
Be mindful of the information you share with your devices. Only provide data that is essential for the device to function properly and limit the amount of third-party services and data that is being collected on IoT devices.
Photo by Emily Morter on Unsplash
Photo by Emily Morter on Unsplash
Do your research
Before purchasing any IoT device, research its security features and the company's reputation for data privacy. Stay informed about updates and vulnerabilities.
Built with Shorthand