The Internet of Things (IoT) has superseded buzzword status. With estimates of 13.5 billion “things” connected to the internet by 2020, connected-device technologies are promising to transform the lives of businesses and consumers alike. But in the case of IoT, the cost of convenience is security.
We saw the power of IoT vulnerabilities come to light during the recent distributed denial-of-service (DDoS) bot-infected attack against the domain-name service provider Dyn. This DDoS attack knocked out a number of the internet’s most popular websites including Netflix, Twitter, Pinterest, and Spotify. Experts say this massive attack was powered in part by Miari, an IoT botnet, which is a network of computers controlled by a third party and used to prey on the poor security of internet-connected devices.
Mirai works by constantly scanning the web for accessible IoT devices such as security cameras, DVRs, and home routers. From there, it takes control of the server by logging in via the device’s default username and password, then turning the devices into malware-infected bots specifically for cyberattacks.
After hearing so much discussion about IoT security risks, I was curious to see firsthand just how easy it is to hack into an internet-connected device. As a whitehat hacker, I tested my hacking skills on my Smarter Coffee machine, which is connected to my home wifi network.
But why should you care about some guy who figured out how to hack his coffee machine? Because it was too easy. If I’m willing to spend a couple of hours automating my coffee intake, there are countless cyber criminals out there willing to put in the time for a much higher-stakes reward.
There are countless cyber criminals out there willing to put in the time for a much higher-stakes reward. Since I work from home and I’m an avid coffee drinker, I wanted to create a way to send commands directly to my Smarter Coffee application from my desktop without having to track down my phone. Since the Smarter Coffee maker comes with an app for iPhone and Android devices, I decided to investigate the app to find the communication protocol.
In order to make this happen, I studied the code in the Android app to figure out how my phone controlled the coffee maker. Ultimately, I was able to decipher how to control the coffee maker directly from the terminal prompt of my desktop computer, eliminating the need for the mobile app altogether. By doing so, I was able to successfully automate the coffee-making process that turns caffeine into computer code with unparalleled efficiency—right from my own desktop. You can download the client code here. (You will need to specify your machine IP address the first time, then it will reside in the ~/.smartercoffee file.)
Your networks are always at risk. For example, while the Smarter Coffee app requires you to register an account, anyone on the same network could easily access it, take control, and send commands to the device with no authentication required. And if you think your unencrypted home wifi network is safe with a password, think again: Tests by two executives at BlackBerry showed similar vulnerabilities in their office’s network-connected tea kettle, which they proved could infiltrate an entire network and put sensitive enterprise data at risk.
In other words, if a hacker can take control of your caffeine dispenser, they can gain access to everything else it connects to.
While most device makers and developers are yet to respond to this wake-up call, government agencies are stepping in. In response to the recent DDoS attacks, the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) in the US released documents providing recommendations for how companies and individuals should approach security for IoT. The DHS release provides six strategic principles aimed to provide guidance for developers, service providers, and consumers, and encourages them to incorporate security into the design of IoT devices from the start. NIST provides a more detailed list of recommendations for manufacturers and developers seeking to engineer safer products.
The fact that two government agencies released IoT security guidelines is a step in the right direction. However, IoT-related attacks will continue to surface as long as the IoT and the mobile industry at large fail to prioritize security.
A coffee-machine hack may seem harmless, but the Dyn attack proved how easily IoT devices can cause damage at a grand scale. It’s time to hold IoT developers accountable for building security into their devices.