On August 2, 2018, the Federal Bureau of Investigation (FBI) issued a Public Service Announcement about hackers’ misuse of Internet of Things (IoT) devices.¹ The FBI wrote about how IoT could be utilized by hackers to hide the source of their attacks, aid fraud, or generally obstruct the flow of information over the internet.² In general, hackers could hijack your IoT devices to make it look like the device, and not the hacker, is performing the bad act. This is important because weaknesses in your IoT devices, which can literally include your toothbrush, could draw you into a dark cyber world.
The Internet of Things is the network of physical devices, vehicles, home appliances, and other items embedded with technology that enables them to connect and exchange data. At first blush, this seems indistinguishable from the standard internet, which allows for all types of devices to connect via computers, phones, tablets, and wearables. However, IoT refers to the breadth of devices that will now join networks, not the mechanisms for joining those networks. IoT devices have in the past been traditionally dumb or non-internet-enabled physical devices and everyday objects. Now, we increasingly see toasters, shoes, and toothbrushes becoming networked just like computers. Embedded with technology, these devices can communicate and interact over the Internet, and they can be remotely monitored and controlled. This interconnectivity opens up great possibilities for increased efficiency in superficially mundane areas. However, that connectivity, as noted by the FBI, comes with cyber risks.³
Analytically, the data security concerns with IoT devices are largely the same as with a traditional computer. The challenge is a mental one: how do we deal with a toaster like a hackable computer? The first part of this answer is very similar to the procedures that you should already be following with regard to your computers: (1) regularly change your passwords; (2) use strong, unique passwords: and (3) keep your software up-to-date. Some special techniques are also worth noting. You should reboot and power down your IoT devices regularly. Most malware is stored in memory and removed upon a device reboot. Therefore, rebooting will often “disinfect” the IoT device and keep bad guys from lurking in your toothbrush.
More advanced protection involves tweaking your own home network design. For example, you should consider configuring your network firewalls to block traffic from unauthorized IP addresses and disable port forwarding. You should also consider isolating IoT devices from other network connections. The real value comes from doing something that almost no one has ever done: examining how your toaster could be used as a cyber weapon. It may frustrate you to think about IoT devices in this manner, and create another level of worry about the security of your home and your networks, but thoughtfully approaching possible weaknesses of these newly networked devices when you install them can largely eliminate the risks. Plus, who doesn’t love smart toast?
² Specific malicious uses include: sending spam e-mails; maintaining anonymity; obfuscating network traffic; masking Internet browsing; generating click-fraud activities; buying, selling, and trading illegal images and goods; conducting credential stuffing attacks, which occurs when cyber actors use an automated script to test stolen passwords from other data breach incidents on unrelated web-sites; and selling or leasing IoT botnets to other cyber actors for financial gain.
³ “Common Internet of Things Devices May Expose Consumers to Cyber Exploitation,” available at https://www.ic3.gov/media/2017/171017-1.aspx.