The “Internet of Things” or IoT – More Common But Hackable by Ira Wilsker – SouthEastern Michigan Computer Organization, Inc.

A few years at the Consumer Electronics Show (CES) in Las Vegas, I was intrigued by the numbers of both prototype and production items that were evolving into what is now known as “the “Internet of Things”, or “IoT”. For the majority of us, when we think of the internet, we think of our internet connected computers, tablets, and smart phones. What many of us are not well aware of is that the Internet of Things is beginning to be much more common, and the IoT is already around us in a big way.

When I was last at CES, I was amazed at how internet connections had already made their way into household appliances, and other electronic devices. At CES I saw products being introduced by major appliance manufactures that had connected intelligence built into them.

Among some of the most impressive items that I saw demonstrated were what appeared to be conventional residential kitchen refrigerators that had what appeared to be a flat screen tablet on the front of the door, as well as other types of sensors and readers built into the appliance. The tablet on the front door could be connected to the internet via Wi-Fi and used to order groceries from participating supermarkets, display recipes, and create shopping lists. A small bar code reader was installed on the door that could read the UPC codes on products, adding those items to a digital shopping list that could be remotely printed, or sent directly to the chosen supermarket. The tablet on the refrigerator door would also display digital coupons and other promotions, enabling the owner to instantly add the promoted item to the grocery list.

This internet connected refrigerator, as well as IoT connected washers, dryers, dishwashers, air conditioners, stoves, ovens, microwaves, and other major appliances also incorporated a “service connection” which monitored the physical operating condition of the appliances. These appliances utilizing their internet connection, typically Wi-Fi, would report their operating condition, suggest repairs and maintenance, provide or order a list of replacement parts, display do-it-yourself repair instructions, or contact a repair service if necessary. Most of these devices would actually send an email or text message to the appliance owner alerting him of the issues.

Many auto manufacturers currently offer “OnStar”, “BlueLink”, or other types of cellular or internet connected monitoring systems that can report on maintenance issues, service reminders, and other issues, as well as providing a method of emergency communications. My wife’s car periodically sends her an email listing the mechanical condition of each of the major components on her car.

We are seeing much more of our homes being controlled or secured by the IoT under the general topic of “Building and home automation”. Most modern home security systems can be remotely accessed and controlled by cell phone; security cameras can display their images on remote devices anywhere. Lamps can be remotely controlled to turn on or off by remote command. Even our utility usage and thermostats can be accessed remotely. The very popular Nest thermostat, along with an increasing number of competitors, offers internet connected control of household temperatures, as well as smoke detectors and remote cameras. My new “smart TV” is connected to my home data network which allows me to use my smart phone as a fully functional remote to not just control the TV, but to also search through dozens of streaming media services to watch countless movies, TV shows, videos, and other content, all connected by my home Wi-Fi network.

A review of local industry, health care facilities, public utilities, transportation systems, and other commercial enterprises are rapidly becoming more involved with the IoT. Look at your water, gas, and electric meters; many are already internet connected in order to speed automate “meter reading” saving time and money. In the medical field, health monitoring and diagnostic equipment is becoming more connected to the internet. According to Wikipedia, “These health monitoring devices can range from blood pressure and heart rate monitors to advanced devices capable of monitoring specialized implants, such as pacemakers or advanced hearing aids. … Other consumer devices to encourage healthy living, such as, connected scales or wearable heart monitors, are also a possibility with the IoT. … Doctors can monitor the health of their patients on their smart phones after the patient gets discharged from the hospital.”

While much of this current IoT technology is infringing on what used to be in the realm of science fiction, there is also a dark side to the IoT. Already hackers are breaking into internet connected devices other than the traditional computers and data networks in order to illicitly control these IoT devices, alter or steal data and personal information, or shut them down on demand. In terms of connected medical devices, there have been some serious concerns expressed about complying with HIPAA and other privacy and security rules and regulations.

It has been well documented that some common household smart devices, most notably smart TVs, have actually spied on their owners. This was reported about two years ago in Forbes magazine by Joseph Steinberg, in his expose’ “These Devices May Be Spying On You (Even In Your Own Home)” On January 27, 2014, this article in Forbes said, Televisions may track what you watch. Some LG televisions were found to spy on not only what channels were being watched, but even transmitted back to LG the names of files on USB drives connected to the television. Hackers have also demonstrated that they can hack some models of Samsung TVs and use them as vehicles to capture data from networks to which they are attached, and even watch whatever the cameras built in to the televisions see.” Internet connected coffee makers, which can be remotely programmed to make morning coffee may disclose to hackers when you may be waking up, and even what time you might be returning home, valuable information for residential burglars. The smart refrigerator may be selling your shopping information to third parties. In an unexpected and unusual case, Joseph Steinberg reported that a smart refrigerator was used to send out spam emails, ” … (P)otential vulnerabilities have been reported in smart kitchen devices for quite some time, and less than a month ago a smart refrigerator was found to have been used by hackers in a malicious email attack. You read that correctly – hackers successfully used a refrigerator to send out malicious emails.” Also in that Forbes article, companies providing DVR, satellite, and cable service have been alleged to have sold information of shows and other content watched in the household in order for advertisers to better target their advertising. It is also widely known that many internet service providers compile lists of websites visited; since may people get their TV and internet from the same provider, these companies could combine that information, which Forbes warns, “a single party may know a lot more about you then you might think.”

Another popular target for hackers and other miscreants is common household video capture equipment, such as a webcam or a home security camera; remote baby monitors are similarly targeted. Forbes disclosed that malware on a computer can remotely turn on and off the internet connected cameras. In one notable case referenced in the Forbes article was how a Miss Teen USA was allegedly blackmailed by a hacker who controlled her laptop’s integral webcam, ” … and photographed her naked when she thought the camera was not on.” The images of home security cameras, often transmitted unencrypted over the internet, can be captured by burglars, informing them that not just is the home currently unoccupied, but also the location of the potentially incriminating cameras!

Information about specific items connected to the internet is readily available, and even searchable as easily as any other internet data. The Shanghai based website Shodan (shodan.io) describes itself as, “Shodan is the world’s first search engine for Internet-connected devices.” On the front page of Shodan is a self aggrandizing statement that says, “Explore the Internet of Things. Use Shodan to discover which of your devices are connected to the Internet, where they are located and who is using them.”, followed by, “See the Big Picture – Websites are just one part of the Internet. There are power plants, Smart TVs, refrigerators and much more that can be found with Shodan!” Just as an experiment, I registered on Shodan with a disposable email address, and did a quick search of my neighborhood; I found nine potentially vulnerable IoT connected devices within a small radius of my house. I also found that some local service stations monitor their gasoline inventory in real time, transmitting their data in real time over an unencrypted internet connection. For example, when searched, one particular major refiner branded station reported, “IN-TANK INVENTORY Regular 7263 (gallons), Temperature 51.74 degrees” as well as other inventory information. This was one of 45 “Automated Tank Gauges” reported by Shodan in this area. This gasoline tank information was just a very small snippet of the millions of such internet connected devices that most of us have no idea even exists.

In a December 28, 2015 article published by Cnet, “Internet-connected homes open the door to hackers”, with the subtitle, “Baby monitors, thermostats, kitchen gadgets and other “smart” devices add convenience to our daily lives. What are manufacturers doing to make sure they don’t make life easier for criminals too?”, the author, Laura Hautala, explained the vulnerabilities of our household IoT. In the opening of the article, employees of a Sunnyvale, California cybersecurity company, Fortinet, used the Shodan search engine to find a video stream in Saudi Arabia, 8100 miles away. Using the too common factory default username and password of “admin”, they were able to view the streaming video. According to Fortinet engineer, Aamir Lakhani, the Shodan search engine can display, ” … a huge trove of Internet-connected devices, from baby monitors to cars, cameras and even traffic lights.” Sadly, many of these devices still use factory default usernames and passwords, and transmit their data over unencrypted internet links. The Cnet article goes on to state, ” Billions of sensors will soon be built into appliances, security systems, health monitors, door locks, cars and city streets to help manage energy use, control traffic, monitor air quality and even warn physicians when a patient is about to have a stroke.”

The Cnet article stated that a well respected market forecaster, Gartner, predicted that in 2016 there will be 6.4 billion internet connected devices in use. Many new IoT devices will be displayed and demonstrated at this year’s CES in Las Vegas. Among some of the risks of an insecure IoT could be a variety of malicious vandalism, as well as outright identity theft, terrorism, and crimes of opportunity. Tanuj Mohan, co-founder of Enlighted, gave one such potential example of vandalism. He was quoted in Cnet as saying, ” That connected coffee maker in the office — it wouldn’t be much of a stretch for a hacker to put it into a continuous loop and brew coffee throughout the weekend, flooding the office. … When computers hold the reins, criminals can grab control in unexpected ways.” At present, there is no coordination or uniform standard for IoT security, and many manufactures of IoT devices do not incorporate adequate default security into their devices, making the aggregate vulnerability of the devices potentially catastrophic. Mohan warned that manufacturers are not paying attention to the potential security vulnerabilities of many of their products. “They’re not yet aware of how everything they build can be exploited. Safety last.”

We, as users of IoT products need to take some personal responsibility for the use of our connected products. We should never use any default usernames and passwords such as the “admin” used to give total access to video link mentioned above, but instead use difficult to guess passwords. Since many of the devices offer some form of encryption as an optional setting, it would be wise for all users to engage that option, and set a complex pass phrase for a decryption key.

The Cnet article closes with a very prophetic statement. “Baby monitors, thermostats, kitchen gadgets and other “smart” devices add convenience to our daily lives. What are manufacturers doing to make sure they don’t make life easier for criminals too?”