In 2015, somewhere in the neighborhood of 1 billion Internet of Things (IoT) devices will be purchased, an increase of 60% over the previous year. There will be 10 billion IoT devices connected to the Internet this year.
A couple of years ago, a survey found that three out of four Americans had no clue that there was such an animal as the Internet of Things, and many likely still don’t know (until you tell them their new smart TV or fitness band counts). Since the IoT is only going to get bigger, it’s best to get a handle on what it means for you.
The IoT can be any product or appliance equipped with a chip for storing data and web connectivity. The point is two-fold: service and data collection. Whether we’re talking about a car or a dishwasher, manufacturers can identify this or that “thing” by a unique code, then send it information over the Internet, including commands and software updates; conversely, they can also receive communications from it. Many of the devices that fall under the IoT heading have web- and app-based interfaces that allow end users to control them from wherever they may be, whether it is a security camera, a front door or a clothes dryer.
Frequently, these souped-up appliances are marketed as “smart devices,” and they have a variety of benefits. A smart coffee machine can make your coffee at 7:30 every morning, or smart tech can warm up your car whenever the temperature is below freezing. It can open the doors at your business and turn on the lights. The possibilities are endless, and excruciatingly cool. But the downside, of course, is the security risk. Because this data is moving around on devices that are not universally protected, in an environment where there is no established security standard, we have no way of assessing the level of risk.
Most IoT products are often woefully underprotected (or not protected at all), and that opens the door to hacking. From the criminal’s perspective, the IoT is, simply, an opportunity — a bunch of holes in the fence of your information security. It expands your attackable surface. Computer manufacturers and software companies devote attention and resources to providing security, but appliance makers have little understanding of the field. It is only a matter of time before the hackers start digging into their programs.
In fact, the first proven large-scale hack of IoT devices occurred in December 2013 and the first week of 2014, according to the security-as-a-service company Proofpoint, based in Sunnyvale, Calif. According to Proofpoint’s press release detailed the marshaling of conventional household smart, or IoT, appliances, “the global attack campaign involved more than 750,000 malicious email communications coming from more than 100,000 everyday consumer gadgets such as home-networking routers, connected multimedia centers, televisions and at least one refrigerator that had been compromised and used as a platform to launch attacks.”
Normally, a mass of spam as large as 750,000 emails would be caught by filters. But what if the filters didn’t know the emails were coming from the same place? In this attack, which took place between Dec. 23, 2013,and Jan. 6, 2014, bursts of email — as many as 100,000 of them at a time — were sent out through an army of machines several times a day. Twenty-five percent of the email was sent via noncomputer “things” (i.e., not a laptop, desktop computer or smartphone). Because each IP address was programmed by the hackers to send no more than 10 emails, none of the location-based defenses that networks use to block spam were triggered. After all, who would suspect a refrigerator of malfeasance?
Luckily, there are some things you can do to reduce your attackable surface.
1. Change Default Settings
Your new device may come with no password set or a password set to something that can be easily searched online. The first thing you need to do is change that password to something long and strong, with upper and lowercase characters, numbers and a good dollop of unpredictability. Stay away from number sequences like birthdays and phone numbers, which could be gettable from data compromises and breaches.
2. Create a Separate Email Account
The best way to protect your privacy and monitor any illegal activity associated with your IoT device is to register it to an email account that you only use for IoT devices, perhaps even that you only use for a particular device. If something happens, you will not be as exposed. Remember: email is an element of personally identifiable information.
3. Less Is More
While your media likes and dislikes and your diet and fitness milestones are fun to report, the downside is that you broadcast information about yourself to potential fraudsters as well. Keep it to a minimum.
When it comes to any new technology that makes life more convenient, bear in mind that the tradeoff is privacy and personal information security. The less you have out there, the less vulnerable to fraud you become.
Adam Levin is chairman and founder of CyberScout. The above is an adapted excerpt from Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves, now available in bookstores.