IoT: A Cause for Celebration and PrecautionIoT: A Cause for Celebration and Precaution

While it’s not hard to recognize the benefits that these new gadgets will bring to our lives, there is a dark side to having all these devices Internet-connected.

Are you familiar with the Carna Botnet? If not, you really should be. Back in 2012, an anonymous hacker set out to "measure" the Internet in a survey entitled The Internet Census of 2012. Enlisting the Nmap Scripting Engine, every publically addressable IP address was scanned with the goal of finding just what was out there. More importantly, the census wanted to learn how many of those devices were unprotected. Sadly, it found a lot of them.

While quite a few of the discovered devices were consumer-grade, many were IPsec routers, BGP routers, x86 equipment with crypto accelerator cards, industrial control systems, physical door security systems, big Cisco/Juniper equipment, and so on. Finding these enterprise devices was not surprising, but far too many were still configured to accept default login credentials such as root/root and admin/admin. Ultimately, approximately 420,000 unprotected devices were discovered and the hacker was able to load scanning code onto them that allowed him or her to essentially probe the entire Internet.

Thankfully, the hacker's intentions were focused on research rather than harm, but discovering that many vulnerable devices is extremely alarming. If a so-called benevolent hacker can easily find and use them for fairly benign purposes, less scrupulous people will be next in line with far more nefarious intentions.

Christmas is just around the corner, and I expect that quite a few of us will receive one or more gifts that require an IP address. Personally, I am hoping for one of those wearable fitness devices. As a geek who likes to stay physically active, I could really get into electronically tracking my workouts, footsteps, and heartbeat.

Less health-minded folks are hoping Santa will bring Internet connected lightbulbs, TVs, or refrigerators. Opening up the latest Best Buy flier, I see page after page of affordable smart devices. From Wi-Fi cameras to Web-connected security alarms, we are awash in IoT (Internet of Things) appliances and toys.

The OpenDNS 2015 Internet of Things Enterprise Report categorizes the kinds of IoT devices prevalent today as follows:

While it's not hard to recognize the benefits that these new gadgets will bring to our lives, there is a dark side to having all these devices Internet-connected. Every on-line device is yet another place where personal information can be compromised and exploited. Each IP address is another access point hackers can and will attack.

Consider devices as seemingly innocuous as IoT garage doors, thermostats, and lighting systems. Left unsecured, these devices can be monitored to discover a homeowner's home and away patterns. Data from lighting systems can be used to plan break-ins and robberies will be facilitated by nefariously opening garage doors. Unprotected security systems can be turned off and surveillance cameras disabled.

Additionally, unsecure devices enable hackers to perform data mining and learn information that can be used to attack us elsewhere. That wearable health monitoring device I want to find under the Christmas tree will gather information about me that I am not inclined to share with strangers. Even more harm can occur with devices that actually control a person's health. For example, a drug dispensing system can be told to deliver incorrect dosages.

For those of you who feel I am being Chicken Little and shouting "The sky is falling," the FBI recently issued a public service announcement that warned of all these potential problems and issued the following defense recommendations:

While little of the above should be unfamiliar to No Jitter readers, it's unfortunate how many of the recommendations are not followed. Some of this is due to ignorance, but much is simply because folks are too lazy to do the necessary work to build secure configurations. While I am not sure which of the two is easier to fix, unless they are addressed, hackers will have a field day as IoT devices become commonplace.

I am the last person to play Grinch when it comes to new and exciting technologies, but I am the first to say that security should be factored into every new toy, gadget, and service. IoT will revolutionize our world, and it won't be too long before everything from toasters to electric shavers will have an IP address and connect to some form of network. Done properly, this is a wonderful thing. Done haphazardly and we are willingly inviting trouble into our lives.

In closing, I would like to quote the anonymous Carna Botnet hacker:

Enough said. Happy holidays, everyone!

Andrew Prokop writes about all things unified communications on his popular blog, SIP Adventures.

See Andrew Prokop at Enterprise Connect 2016, taking place March 7-10 at the Garlord Palms in Orlando, Fla. Register now to take advantage of reduced rates. Use the code NJPOST to receive $200 off the current conference price.

Follow Andrew Prokop on Twitter and LinkedIn!
@ajprokop
Andrew Prokop on LinkedIn