Securitywise, the internet of things is going as badly as most computer security experts predicted. In fact, most vendors don’t fully appreciate the potential threats IoT devices pose. Anything connected to the internet and running code can be taken over for malicious purposes. Given the accelerating proliferation of internet-connected devices, we could be hurtling toward catastrophe. Personal security cameras, for example, are being used to conduct the , not to mention allowing strangers to spy on the very people the cameras are supposed to protect.
Worse, with IoT devices, vulnerabilities can have consequences far beyond the digital realm. The coming wave of IoT attacks include those that could injure or kill people. This isn’t hypothetical. I’m talking about real attacks that are already possible today. And no one has done anything to make these attacks less likely to happen.
Following are nine next-wave hacks that could be coming for you soon.
Your heart monitor will get hacked
Hackers have long known they can disrupt nearly any medical device that has writeable software, works wirelessly, or connects to the internet. Computer scientists and hackers have exploited , , IV drip devices, , and , all of which have the potential to kill the patient. These threats come to our attention frequently.
, , and . And only recently have car manufacturers begun concentrating on tightly securing those systems. Most experts involved tell me we are a long way from being able to say that cars are “unhackable.” As one car security expert told me, “We’ve not been able to secure computers after trying for over three decades, why do you think we’ll be successful with cars?”
Good question. Still, many within the auto industry say that completely securing a car’s entire system against hackers isn’t even the main goal. The more realistic goal is to make the life-critical systems, such as the engine and brakes, unhackable. “Who cares if they change your stereo channel and change your GPS’s voice personality? But we absolutely need to be able to stop bad people from doing anything that could threaten human life. And that I think we can do it,” one car security expert told me.
Your house will be broken into with the push of a button
Thieves are starting to pay attention to our connected homes. Any device in your home that can be controlled over a network or wirelessly can also be controlled by a hacker. Front door locks , alarm systems , garage doors , and thermostats . Even refrigerators have already been .
As connected homes become more popular, expect thieves to take advantage. Why break a window when you can press a button and unlock the front door or garage? Traditional criminals prove quite adept at adopting lower-risk methods, especially when you consider that houses that contain smart devices are more likely to have expensive things to steal. Personally, I think it’s a bit early for anyone to trust their home’s security to any of today’s electronic locks and openers, until I hear that manufacturers are doing a much better job on securing them than they currently are.
Your vacation will be stolen (or fraudulent)
Bob and Leona Williams showed up at their vacation rental in Key West, tired after a day-long drive. They had signed a rental agreement, and the keys to the house had been mailed to them overnight, shortly before they wired the money. But when they arrived, the key didn’t work. They knocked on the door.
A short while later, a sleepy-eyed Amanda Ternoff opened the door. She knew from the car stacked with luggage behind her new guests what had happened. Someone had “fake rented” her house again. This time she was able to tell the scammed tourists what had happened and gave them the phone number for the Monroe County Sheriff’s department. This outcome was better than the last time, when Amanda had come home after taking a vacation of her own and found a Cuban family partying in her backyard pool sanctuary.
It happens hundreds of times a day. A fun-seeking family on vacation shows up at their dream vacation home, only to find it wasn’t a rental and they are out the money. Sometimes these fake vacation scammers have entire websites dedicated to the scheme and reply with official-looking rental agreements and procedures. Other couples have shown up for their vacation of a lifetime, then discover that another couple had appeared a week earlier and used every tour package and amenity they had paid for. The burgeoning appearance of personal do-it-yourself rental sites like Airbnb, combined with traditional Craigslist-type sites, make it easier to pull off.
Experts say stick to trusted companies and dedicated websites that have safeguards to prevent fake rental scams, and be especially aware of anyone who wants you to wire money instead of using a credit card. Other antiscammer sites recommend trying to confirm the vacation rental property in person before paying, although some scammers and trade on those credentials.
Your TV will be bricked for ransom
Our televisions are getting smarter. I can now watch cable, Netflix, Amazon, Hulu, and YouTube, as well as browse the internet, all using my TV’s remote control. But as our smart TVs become big-screen computers, they bring with them the inherent risk of malware and hackers. In fact, at least one TV . “Brick” is a term to indicate that a computing device’s state is so maligned that it will not operate without at least a new firmware write, and firmware writes can be difficult to impossible for someone outside of the vendor’s manufacturing plant to accomplish.
Longtime antimalware vendor TrendMicro warned last year . Ransomware is a malware program that encrypts your data and asks for money to unlock it. In a little more than a month TrendMicro detected 7,000-plus variants of the single ransomware program they found. Luckily, this particular malware program can only infect a specific type of older, now discontinued, smart TV. But no doubt this is only the first wave. Malware writers will code more television-specific attacks. I might not be willing to pay $500 to unlock my company’s laptop, but take away my home entertainment system and I might be willing to pony up the money quicker.
Your mobile phone will be doxed
If you think ransomware is terrible, malware writers have gone one better with doxware. Named after the hacker activity known as doxing, doxware will lock your computer or mobile phone and threaten to release your confidential documents or chats to the world. Think that love affair is a secret? Watch out for doxware. Don’t want your company’s top secret intellectual property to be revealed to your competitors? Better pay up.
Hackers have learned that regular offline backups can defeat the sting of ransomware, but threatening to expose embarrassing or valuable information, to steal a phrase from a popular credit card commercial, is priceless.
Your devices will attack other people
Hackers are aggregating hundreds of thousands to millions of user devices into rogue botnets to accomplish their malicious missions. Security cameras and IoT devices are being used to send spam, to conduct massive denial-of-service attacks, and to steal digital currency. Hackers accomplish this using specially designed bots that look for and compromise predefined IoT devices. Here, the poster child is , a Linux-based bot that showed up in early 2016. Its and was immediately reused by many other criminal gangs.
Mirai attempts to log on to vulnerable IoT devices using Telnet (TCP port 23) and a prefined list of very weak passwords (“admin,” “12345,” “password”). If successful, it tries to disable other remote admin log-on methods (SSH, HTTP, and so on), then attempts to connect to its command-and-control servers to get its next instructions and targets. Researchers have found millions of potentially vulnerable devices. People don’t know that their wireless routers, internet cameras, and refrigerators are being used to attack other people. All the average user might notice is some sluggishness or slowness in their own device, and who would blame that on an IoT bot when lagginess is normal in the computer world.
IoT bots are becoming the hottest new malware type, like ransomware was before, and email viruses were before that. The problem is becoming so bad so fast that many governmental agencies around the world are launching investigations. Expect new IoT manufacturing laws and regulations to follow in 2017. Unfortunately, literally hundreds of millions of IoT devices out there were coded before we knew about IoT botnets, and they’re waiting to be exploited.
Your biometric identity will be up for sale
Passwords are quickly becoming persona non grata, rapidly replaced by two-factor and biometric authentication. Many people think that biometric identities are the best solution; after all, who can fake your retinal scan? Plenty of people, it turns out. Most users don’t realize that their biometric identity is stored as a digital file. Sometimes that biometric identity is stored exactly as it is (that is, your fingerprint impressions are stored looking exactly like your fingerprints). More often, your biometric identity is stored as an intermediate-represented form. For example, most digital fingerprints are stored looking something like a star constellation, with lines mapped between each ridge and value.
Either way, because your biometric identity is stored so that it can be accessed for future authentication, hackers can steal it as easily as they can your password. And they can recycle your biometric identity on any system that used it in the first place. The only difference is that if your password is compromised, you can change your password. You can’t change your retina print (yet). When your biometric identity gets stolen, essentially your identity is stolen for the rest of your existence.
This becomes a big problem especially when large biometric databases are stolen, like the in which more then 5 million fingerprints were stolen. I know people who had their fingerprints taken back in the 1990s who received a government letter letting them know their fingerprints had been stolen.