Granite Geek: The Internet of Things has a Hacking Problem
A New Hampshire software developer is working on a way to protect household devices that are connected to the internet, the latest in a broader, nationwide push to keep the devices in our homes safe from hackers.
David Brooks, who writes the Granite Geek column at the Concord Monitor, has been keeping a close eye on this topic—and he’s pretty worried. Brooks spoke with NHPR’s Peter Biello.
This is all about the Internet of Things (IoT), so bring us up to speed: What is that?
The IoT is all the interconnected, internet-connected devices that are being sold now. Things like your router, but also webcams, thermostats—so you can set your thermostat on your smartphone while you’re at work—baby monitors, security cameras, door locks, refrigerators, toasters. There’s a ton of stuff out there.
And if these devices are hacked, what threat do they pose to the people who own them?
So, “hacked” doesn’t generally mean that they’re taken over and your toaster is going to start attacking you because bad guys in Ukraine are [controlling] it. What hacked usually means is, they’ve snuck software onto it without your knowledge.
That software can do things against you, spying or trying to steal some information, but more often it’s done so they can use your machine to send out either spam or to do some concentrated attack. So your thermostat is turned into a dumb computer that the bad guys are controlling to send out messages over the internet.
So they could use your thermostat, your toaster, your baby monitor to swarm a particular company’s website, and that’s called a denial-of-service attack, so that’s what this is going to prevent.
That’s the biggest thing this has targeted, and a distributed denial-of-service attack, a DDoS as you said, the most famous one here in New Hampshire happened in October when Dyn, the network company in Manchester that’s now part of Oracle, was hit hard for a couple hours. That took down a bunch of very famous websites.
That was tens of millions of these things, DVRs, stuff like that, all being told, send messages to DYN, and they just overloaded it.
So, enter this guy Steve Castle, who lives in Lee and is working on an app called IoT Watchdog. The app will help you identify when these internet-connected devices in your house have somehow been hijacked.
Right, because, if you’re a user like me, you’ve never even changed the password when you installed the device. You certainly don’t know if there’s security holes that have been found on it, or if it’s been updated.
Steve Castle actually entered a competition that was put on by the Federal Trade Commission, which has been the federal agency that’s been fighting against this issue. They had nationwide competition for ideas, and his idea was the app that won first prize.
Basically, it’s an app that hunts around on your Wi-Fi and says, hey, these are the devices you’ve got connected and here’s what we know about their current state. It will download updates, for example if there’s been an update to your security camera that you should install.
So it simplifies it for us clueless users.
So for users, clueless or not, if they’re using this app, they’ll be asked to do things like changing their passwords when a security breach is detected.
Could be, I’m not sure it’s smart enough to tell you if your password is bad, he’s still doing alpha testing. The big issue with it is getting information from the vendors, from the companies that make these things. That information needs to be in a database so this app can tell you, hey this thing has just had a security hole spotted.
That can be difficult to pry out of the companies. He’s going to need to some help, some backing, to make that occur.
In the meantime, for people using these internet devices, what’s their level of responsibility for keeping their stuff safe?
That’s a good question. Many people, including myself, would argue that virtually all the responsibility is on the manufacturers. They’re churning out these incredibly unsafe devices. They send them out with 1-2-3-4-5 as the password, they allow you to hook them up without changing the password, they have bad firmware on them.
They’re cranking them out because they can make a few bucks. So I would argue that they are responsible for virtually all the problems. They should make them safer.
As I said in the column, it would be like selling you cars with no door locks and big buttons that say, push here to hotwire. Then saying, it’s not our fault your car got stolen.
Then there’s the counterargument that those of us who buy the things and install them and are too lazy to change the password or make sure that they’re up to date and safe. So there’s probably blame to be shared.