SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

The Internet of Things: New Devices, New Concerns

Posted on June 22, 2017

On today’s Checklist, we’ll take a look at it the Internet of Things and the new security holes they may be opening up.

Today, Internet connectivity isn’t something limited to just our computers and phones. Everything from in-home thermostats and garage door openers to our lights, security systems, and even children’s toys — there are versions of all these devices now that connect to the Internet. Referred to as the Internet of Things, it’s already a big industry — but what is it all about?

  • The Internet of Things defined.
  • Apple and the Internet of Things, with an eye on HomeKit.
  • Security and the Internet of Things: problems and pitfalls.
  • The Future of of these Things.
  • Being smart with Smart Devices.

The Internet of Things defined.

So, at first glance, it’s easy to simply label this entire sector as just “Internet-enabled devices.” The idea of a fridge hooked up to the Internet used to be a punchline, but now it’s closer to reality — albeit not for too many people right now. That doesn’t mean IoT devices aren’t still laughed at, though. Some ideas can be downright silly. Crowdfunding sites like Kickstarter have seen their fair share of hare-brained schemes, like Internet-enabled espresso machines, juicers, and smartphone-connected propane tank sensors.

Some of these projects have failed, and some have succeeded, but regardless of the outcome, the impact is the same. The overall concept behind these devices has infiltrated the public consciousness. Have you ever seen those one-press buttons from Amazon that allow you to order a household necessity instantly? Those are a part of the Internet of Things, and they’re just one of the ways it’s entering our lives.

So, for a broad definition of the IoT, we might say it’s a group of items and objects communicating with one another through software and over the Internet. It’s all about networking devices together to “digitize” more of our lives and harness the power of data. The web-connected thermostat, like the Nest brand, is one example that boasts some real usefulness. Controlling the temperature of your home with your phone can make it easier to arrive home to a comfortable environment. Of course, there is also the fact that controlling your home from afar is just plain cool.

That’s why you’ll see a lot of IoT devices aimed at creating “smart homes.” We’ll talk about Apple’s efforts to foster the smart home revolution as well in a minute. For such a fundamentally basic idea, it can be hard to grasp what the IoT encompasses. That’s perhaps because it has already grown into such a massive industry with so many different types of products. When you hear the label applied to household appliances, it might make sense — but throw in some more mundane items that suddenly pair with an app on your phone and it’s a little more confusing.

We can clear up the definition even further. It’s not just objects and new devices connected to the web. Data plays a substantial part in the IoT, too. The goal is to learn about your personal habits and preferences in order to deliver greater convenience. The Nest thermostat, for example, boasts an ability to learn your habits and adjust the thermostat automatically with no input from you!

Sensors play a prominent role in the most useful IoT applications, and in fact are a major component themselves. For every device you can purchase for home use, there might be five or ten other sensors in industrial or technological applications transmitting data back to a central computer for analysis. The Internet of Things is about improving our lives with enhanced efficiency and useful data.

One firm monitors concrete quality via embedded sensors that can report back to a computer. On paper, “smart concrete” might sound like a silly idea. When we consider that might save massive amounts of cash, time, and labor in maintenance, it’s not so silly after all. Power plant systems transmit data on operating equipment; wastewater treatment plants are coming online with web-connected systems for off-site analysis and monitoring. Sensors have exploded in a big way, and their applications have trickled down to consumers in other forms.

Businesses are using the Internet of Things, too, especially for warehouse products. Smart inventory tracking and retrieval is a growing field. Environmental control systems are growing in popularity as they can aid a business’s efforts to control overhead costs. More applications are in the pipeline, too.

So that’s what the Internet of Things is: sensors and devices collecting data, communicating over a network to share that data, and empowering users to do more with that sharing. Sounds like the wave of the future! Well, not so fast: aside from the security problems we’ll talk about later today, the IoT also suffers from serious fragmentation in the market. Everyone has an app or an idea for an app and a new product, and that means it’s difficult to integrate everything together. Apple hoped to lead the way in solving that problem.

Apple and the Internet of Things, with an eye on HomeKit.

Regardless of the potential frivolity the IoT can represent, major tech companies, like Apple, have taken notice of these developments. Apple has made a unified user experience a priority in its ecosystem for years now; expanding their efforts into the IoT just made sense, especially when the HomeKit framework was first launched back with iOS 8 in 2014.

It’s worth taking a few minutes to talk about Apple’s efforts in this area because, frankly, it is nearly unique in the IoT marketplace. Later, we’ll touch on the sometimes-extensive security issues present in a wealth of IoT devices. Apple, for its part, wanted to put security front and center with HomeKit and the iOS Home app.

Let’s make an important distinction first. Apple is not manufacturing IoT devices itself. Although that may be changing as the company recently announced the “HomePod,” a Siri-enabled digital assistant that will function like Amazon’s Echo and Google’s Home. These new devices might as well be considered a part of the Internet of Things.

Though they’re less “Star Trek computer” right now than we might want them to be – and they come with their own set of privacy concerns – these products dovetail into the technologically-enhanced “smart home” / “smart life” concept. These new developments aside, though, HomeKit is a framework for IoT devices, not a part of the web of devices itself. The idea behind it is simple: to provide an easy way for approved technology to interface as seamlessly with your iOS devices as possible. It was supposed to create an easy to use and understand ecosystem to unify multiple different products together.

Unfortunately, it hasn’t worked out quite as smoothly as Apple maybe had hoped. The company continues to release updates to the framework, and more recently, dedicated apps have begun adding more usability to HomeKit-enabled tech. The goal of having all your devices meshing and interacting with one another remains far off, though. HomeKit has also struggled to make a bigger impact due to the relatively small number of products that bear its certification compared to the wider IoT market. What’s up with that?

We can attribute a part of that to the licensing fees and necessary MFi standards that the device needs to comply with; while it initially stood for “made for iPod,” MFi now stands in for all iOS products. It’s a certification Apple gives to developers who can prove their products will reliably work and interface with iPhones or iPads without substantial problems or interruptions. Beyond this, though, there’s another reason the industry has been slow to adopt HomeKit even as other similar frameworks have begun to arise: security.

Apple has always worked to position itself as a champion of user rights and privacy. They also seem to understand the risks inherent in connecting to the web and collecting so much data. But Apple thinks your data belongs to you, not some third-party. Until recently, Apple required HomeKit devices to include additional hardware in the product – a dedicated co-processor to handle encryption. As of WWDC 2017 though, that’s changed a bit. HomeKit enabled devices no longer require that chip. Instead, compatible devices will be authenticated through software, with firmware updates available to provide this new software-based authorization to both existing and future products. That should make the process easier for manufacturers while keeping customers safe. Apple says the authentication process will be just as demanding from a security standpoint as it has been all along.

Security and the Internet of Things: problems and pitfalls.

OK, so Apple goes to a lot of effort to ensure devices it licenses for use with the Home app meet some strict security standards. Why is it that their effort is so important? Well, we’ve mentioned a couple of times already that the Internet of Things is a particularly vulnerable type of technology. Some of that danger stems from the simple fact that connecting anything to the Internet exposes it to potential attacks from hackers and malware.

A lot of the risk comes from borderline negligence on the part of many manufacturers, though, and is a contributing factor in HomeKit’s slow growth: it costs money and takes time to implement robust security. Why do that when you could make a quick buck instead? In the pursuit of profit, it’s often our privacy as users that gets offered up as the first sacrifice.

That said, the negligence isn’t always malicious. Sometimes developers just don’t put the thought into security that they should. Certain IoT devices might seem so innocent or mundane that you might never think a hacker would want to exploit it or use it in any way. As we’ll see while we discuss some of the biggest IoT security scandals, though, that isn’t the case. The endless creativity of the IoT sector just further inspires the endless creativity of hackers. Of course, it doesn’t help when developers leave the door wide open to anyone who wants to walk in and help themselves to user data.

That was the case earlier this year, not long after the end of the holiday season. If you haven’t heard of the CloudPets story, it’s a lesson in terrible IoT design. In short, CloudPets were toys designed to allow parents and children to record short messages for one another. The toys would then play back these messages. Sounds sweet, right? Less sweet was the fact that all these recordings and even the usernames and passwords for every account were all stored on an insecure server in Romania.

It didn’t take long before hackers descended on this trove of data for their own amusement and to experiment with the data set. While the passwords were encrypted, CloudPets would accept anything as a password, even the number 1 or a single letter by itself. As a result, cracking the database wide open took no time at all. It wouldn’t be surprising if all the exposed emails were immediately sold off to spammers. Some even tried to hold the data for ransom, threatening the company — but the joke was on them in that instance: the firm is practically defunct now.

Other toys have had similar problems; a “hack” of a similar Barbie doll made waves several years ago. German authorities even warned parents that hackers might be able to remotely access some toys, using them to record and spy on those in the room. Talk about a chilling thought. However, it’s not just cheap or hastily made children’s toys that fall prey to the poor security practices rampant in the IoT sector.

You might remember an outage of many popular sites last year when the DNS provider Dyn was subjected to a massive denial of service attack that took down its services for hours. We wrote about it on our site and followed the story as it developed. The culprit malware, Mirai, scanned the web looking for connected IoT devices like security cameras, DVRs, and other simple devices.

Since users most often leave the default password set when they use this tech, Mirai could easily brute-force its way into the system. It then infected the device and added it to its giant “botnet” of infected devices. All of that translated to potentially millions of devices sending fraudulent requests to web servers, crashing sites all over the place.

It isn’t as though these threats are new, either. In 2015, the Federal Trade Commission issued guidelines warning about the poor security common to the Internet of Things. A study published that same year found nearly two-thirds of studied devices highlighted common and exploitable vulnerabilities. Across the industry, there seems to be a push to get devices to market faster, even if it means sacrificing security and privacy in the process. In the wake of the Dyn scandal, perhaps that will change — but it may be several years before we see the effects.

The Future of of these Things.

With all the issues various device manufacturers have encountered, we wouldn’t blame you if you thought that the trouble isn’t worth the risk. For some people, that’s going to be true. Individuals who need to work with sensitive data or who are particularly security-minded will want to minimize the possible vectors of attack hackers could use against them. Any device that offers app functionality or Internet connectivity needs some scrutiny.

That’s already obvious, though we’ll discuss shortly how you can apply that scrutiny in your own home. What about the future of the Internet of Things, though? Where can we go from here, if we’re already experiencing such a wide variety of issues? Apple clearly thinks there’s a future in these products. The embrace of the digital home assistant and the aims for expansion with Siri are a sure sign of that.

That’s great, but let’s think about what we could hope to see from the industry going forward. How future IoT devices address the problems faced by the current crop of technology will dictate whether these applications live or die. It certainly wouldn’t be the first time we’ve seen “fads of the future” rise and fall. Even so, it seems unlikely that will happen here, as we continue to look to computers for ways to solve problems and simplify life.

The future of the IoT depends on hardening devices against hacks. We hear lots of complaints that “security is expensive,” and maybe for some manufacturers, that is going to be the case up front. Is that a good excuse? We can’t just let another Mirai wreak havoc on our digital infrastructure because malware compromised someone’s coffee maker! Not everyone needs to go as far as Apple does with its HomeKit standards, though it would prevent its fair share of problems. We should hope for even the basic implementation of core security features like password restrictions and thorough encryption between the device and its servers.

It’s not just important for consumers, either. This technology goes far beyond applications in the home. As we discussed, with more businesses adopting these technologies, the potential for financial loss and theft of information becomes even greater. There are even some crucial types of infrastructure integrating items we would probably say belong to the IoT. Without rigorous security standards for the way these devices communicate, we’re going to need to remain very cautious.

This ties in to something of a shortcoming for the IoT today: nothing really plays nice together. HomeKit helps, sure, but the fact is we have hundreds of companies making devices using just as many different frameworks. When you need to set up a brand new online account for every device you purchase — and those devices come with their own proprietary app — you’re creating many more potential entry points for a hacker.

Integration will be the key to the IoT’s long-term success or failure. It’s hard to imagine some of these applications going away, especially with the increased presence of sensors in our lives. Hopefully, we’ll spend less time on apps that can turn on your juicer during your commute and more time on secure and practical applications. In the future, we should also hope to see more manufacturers working together to get on the same page. Otherwise, we’re never going to achieve a safe and secure “smart home” — we’ll just end up with one really confused house.

Being smart with Smart Devices.

It’s clear from the evidence, and from the numerous stories of IoT-related mishaps that these devices aren’t always the safest to use from a privacy or security perspective. Does that mean we should shun them altogether? No. But neither should we simply trust that a manufacturer has taken the appropriate steps to secure the device.

Botnet malware remains rampant; the Mirai incident was only the latest in a long string of events. How can you take advantage of the “things” in the IoT without exposing yourself to unnecessary risks? It takes some thought, but it’s doable. Like with many other things related to the Internet, it’s important to take a closer look at things for yourself.

The unfortunate news is that making your examination of a device’s security practices might be almost impossible. With many IoT devices pumped out by fly-by-night companies, it’s common to see new items hit the market with little testing or even forethought. The examples we’ve discussed today should make that clear already. With that in mind, we think the best way to approach using any of these devices is with a healthy dose of skepticism and a willingness to walk away — even when products seem like something you simply must have.

Choosing a HomeKit device can give you some additional peace of mind. That does mean dealing with the fact that HomeKit-approved devices come out slowly compared to similar products on the market. That means that patience is an important part of using the Internet of Things, too. Be certain the items you’re using aren’t going to come up with big problems right out of the box. While that’s unavoidable sometimes, it’s easier to do if you stick to proven producers. An off-brand Internet-enabled smart light may not be the wisest purchase.

Be very skeptical of toys and other frivolous items that offer IoT connectivity. An important question to ask yourself about these products (or any similar items) is simple enough: “Is it worth it?” In other words, is the feature or functionality worth the potential risk if the device doesn’t have proper security procedures implemented? Most times, the answer will be no; there are plenty of items out there that can deliver similar performance without the added risks.

When you do use these products, observe all the normal best practices. You may even want to set up a separate email account just to manage your IoT devices. Use strong passwords with any device that requires them, and apply any updates to the device’s firmware as they come out. Between a rigorous vetting procedure, smart purchases, and these habits, you can enjoy the first steps towards a “smart home” and a more digital, data-driven life with less worry. Let’s not forget that this industry is still young and has plenty of growing ahead of itself.

So, with IoT devices still exhibiting widespread vulnerabilities and consistently playing a part in the creation of new botnets, it’s reasonable to view them with some concern. As Apple further develops HomeKit and makes it appealing to a wider audience, we’ll hope other manufacturers will wake up to the threats posed by unsecured devices. With the right approach, though, we look forward to having devices which provide more automation, simplified living, and secure choices for our future home conveniences.

That’s everything we have to cover today. We hope it’s made the Internet of Things a little less vague and a bit more understandable. We’ll return next week with another episode of The Checklist.

Problems? Questions? Security concerns? If you have anything to ask us, send us an email at checklist@securemac.com!

Join our mailing list for the latest security news and deals