'Internet of things' is soft target for hackers

December 29, 2014 at 5:03PM
The new Honeywell thermostat, Lyric, uses geofencing in cellphones to adjust your home thermostat as you approach or leave home. The new technology is raising concerns about privacy.
Honeywell thermostat, Lyric, uses geofencing in cellphones to adjust your home thermostat as you approach or leave home. (The Minnesota Star Tribune)

Cyberattacks launched through toasters, dishwashers, watches and refrigerators are among the threats information security professionals anticipate as the "Internet of things" becomes a reality.

Consumers can already buy products that turn their smartphones into increasingly powerful remote controllers. One of them, Honeywell's Lyric thermostat, adjusts a home's temperature based on the owner's smartphone location and is among its other devices, including lights, locks, ceiling fans and in-house cameras, that are completely controllable online.

Honeywell's smart devices — partly developed in its Golden Valley facility – have not experienced any reported security breaches since hitting the market. Jeremy Eaton, president of Honeywell Connected Home, said the company takes smart-device cybersecurity seriously and rigorously tests its products.

But there have already been recorded instances of other home appliances across the country being exploited by hackers. Earlier this year, 750,000 spam e-mails were traced back to a "thingnet" of more than 100,000 gadgets that included televisions, home entertainment centers and at least one refrigerator.

Meanwhile, conventional digital breaches like the recent Sony hack are predicted to become more common.

This flood of new smart devices is made possible by global increases in Internet speed and capacity.

The availability of high-speed, non-mobile broadband increased in Minnesota from about 61 percent of households in 2012 to about 71 percent in 2014, according to data from the Governor's Task Force on Broadband, established by Gov. Mark Dayton in 2011. Rural counties saw the most significant growth, and the pace of Minnesota's switch to broadband ranked eighth nationally. Technology giant Intel projects that cities will spend about $41 trillion in infrastructure upgrades for the Internet of things in the next 20 years.

The Internet's capacity is also surging. Internet protocol version 4, or IPv4, routes most online traffic and is nearing its capacity of about 4.3 billion available IP addresses, the unique code of each connected computer. In response, networks are gradually transitioning to Internet protocol version 6, or IPv6, which unlocks about 340 undecillion IPs. The University of Minnesota and Minnesota Comcast networks have switched over to IPv6.

"If IPv4 is a golf ball, IPv6 is the sun," said Brian Contos, a senior vice president and chief security strategist for cybersecurity firm Norse.

Increases in network speed and size drive the Internet of things, where any device with an on/off switch can connect online. Gartner, a technology research firm, projects a 30-fold increase in Internet-connected smart devices worldwide by 2020, reaching 26 billion, an increase from less than a billion only five years ago.

Chris Buse, chief information security officer for the state of Minnesota, said while this growing network offers advantages, there are risks. The state of Minnesota is already expanding its security models to include more devices, and scans thousands of devices per week for vulnerabilities hackers could exploit, Buse said.

He said the state needs to proactively manage its devices like phones, projectors, computers and other networked technology because there could be unknown vulnerabilities, and staying ahead of threats is a "cat-and-mouse game."

"You can never guess all the crazy things that can happen," he said.

Expanded cyber threats

Consumers will soon become accustomed to conveniences such as starting a dishwasher from work, even though it's hardly a necessity, said Ken Hoyme, a scientist with Minneapolis-based technology researchers Adventium Labs.

Small smart devices are "the weakest links" in a network, he said, whether it's in a hospital or a home. For instance, he said computer worms can get into hospital systems through CAT scan machines with built-in browsers for automatic updates.

Breaking into an organization's network could be as simple as exploiting out-of-date software on a smart thermostat to gain access to other connected systems, or simply changing the temperature settings to overheat a server room.

Hoyme said medical devices attached to the Internet could also be hacked, but that the dangers associated with not implanting a smart defibrillator far outweigh the likelihood of being the victim of a cyberattack. The University of Minnesota's Technological Leadership Institute recently held a public forum on securing wireless medical devices against hacking.

The rise of smart grids — digitally controlled and monitored electrical infrastructure — could present even more security risks to entire neighborhoods.

Remotely hijacking smartphones for ransom, accessing unsecured cameras via the Web or taking control of a home's motion detectors to detect people inside are already possible.

Additionally, large-scale security exploits such as this year's Heartbleed and Shellshock bugs could become even more catastrophic if they take place across the Internet of things.

While the Internet gets larger, "the neighborhood gets smaller," Hoyme said, because increased connectivity puts an average citizen's networked devices "right next door" to those of cybercriminals.

Even Honeywell's Eaton said an excessive amount of connectivity may not be useful.

"Why does my toaster need to talk to my coffee maker?" he said. "What are they going to talk about?"

Contos, the security professional at Norse, said that organizations will need to "build the walls higher" and "dig the moats deeper" to ward off cybersecurity threats arising across an exponentially bigger Internet.

Common sources of security threats can be organized into broad categories, Contos said, including employee insiders, for-profit cybercriminals, government-sponsored hackers and cause-motivated hacktivists.

Governments and companies might not consider taking measures until there's been a major attack, something Hoyme called "faith-based risk management."

Tony Yarusso, a systems administrator from Mahtomedi, said he replaced his old dial thermostat with a smart device that he controls with his phone.

The thermostats seem fairly safe from a hacking standpoint, convenient and economical for when he's out-of-town, late from work or just hanging around, Yarusso said.

As for the lock on his door, he's sticking with old technology.

Jeff Hargarten • 612-673-4642

about the writer

about the writer

Jeff Hargarten

Data Journalist

Jeff Hargarten is a Minnesota Star Tribune journalist at the intersection of data analysis, reporting, coding and design.

See More

More from Local

card image
card image