Be Afraid, Very Afraid of the Internet of Things

What hackers can do to your computer, they can do to any connected device. They can kill your lighting system by turning it on and off 10 times per second, unlock and start your car, access your baby monitor, even tamper with the drug-infusion pump next to your hospital bed. But it would take some pretty slick moves for a hacker to find these devices on the Internet, right?

Maybe not. The Internet of Things now has its own search engine, shodan.io, where anyone who registers for a free account can look up connected devices all over the world. The site’s homepage says it helps you find which of your devices are connected to the Net, monitor your own computers, and obtain “empirical market intelligence” on who is using your product.

But there appears to be no limitation on whose devices are being searched. A quick stroll through the popular-searches menu turned up 6,491 webcams, 508 devices protected with the default password “default password,” 307 Netgear routers with the login “user” and the password “password,” 94 Android webcams with no default password, and 45 iOmega NAS drives with no passwords—among many other things. Each listing turns up a numeric Internet address and often more information. Cheerfully chirps the homepage: “There are power plants, smart TVs, refrigerators, and much more that can be found with Shodan!” Power plants?

How can you protect your own Internet-connected Things? For starters, stop being an idiot. Don’t assume your smart fridge is invulnerable to attack. The world is full of people who delight in doing inexplicably malicious things with computers. Make the effort to customize user IDs and come up with passwords that resist guesswork.

But manufacturers need to get serious too. “Use of multiple layers of protection is the driving principle for enterprise security,” writes Alan Grau, whose company Icon Labs provides security solutions for embedded devices. “It includes firewalls, authentication/encryption, security protocols, and intrusion detection/intrusion prevention systems.”

See his security wish list here.

X