There's no denying that the Internet of Things is a hot market and that consumers who are buying these Wi-Fi-enabled devices — from smart appliances, lightbulbs and thermostats to home security systems and smart TVs — are enjoying the conveniences they offer. Yet these products put us at greater risk to hackers than we realize.
But is it all worth it?
"Hackers are no longer solely focused on PCs and the encryption of files," said Norman Guadagno, chief evangelist at data protection company Carbonite. "They are now targeting new platforms, like IoT-connected devices that serve as entry points, to obtain valuable information."
Guadagno said that what hackers want is to turn your gadget into a software agent, or "bot," that can access your username and password. Since many people often use the same passwords and usernames for everything, hackers who lift those things from you gain the keys to the kingdom, sometimes literally.
Here is a look at 12 of the most surprising items hackers are zeroing in on right now.
According to Eric Cernak, cyber practice leader for Munich Re, a reinsurance group that provides cyber-risk protections to homeowners, many firearms are now connected. Through the use of radio-frequency identification chips, or RFIDs, weapons can now be tracked from manufacturer to end user — a technology that is vulnerable to hackers.
"Researchers have shown that an attacker can alter instructions, such that the rifle will be rendered useless or aim for an unintended target," Cernak said. "One of the main vulnerabilities exploited was the inability to change the default password of the device. In addition, the firearm also contained a vulnerability which enabled administrative access to someone other than the person holding the gun."
Cernak said toothbrushes that use RFID chips or Bluetooth technology rely on "near field" communications methods, meaning that a hacker would need to be in very close physical proximity to access them. Still, just because he or she would need to be within 300 feet to be successful doesn't mean there's any less risk.
"If an attacker can use a weakness in a connected device to access a person's home network, computer or mobile device, they may be in danger of having their identity stolen," Cernak said. "This can result in outstanding bench warrants, damaged credit scores and tax- or health insurance–related issues."
Domingo Guerra, co-founder and president of Appthority, a security, data loss and privacy risk company, said that "smart" refrigerators, whose connected calendars do things like remind the owner to change the baking soda, can expose the owner's username and password. That's all that a hacker needs to access the "Forgot my password" feature on a bank website.
"To prevent the risk of hacking, users should only use trusted and secure internet connections, strong passwords, different passwords for each account and device and, if possible, not the main user's email," Guerra said. "Our primary email is our most important account we own, so it should not share a password with any other account."
The world's many cultures comprise a rich tapestry, which serves as a backdrop to our daily lives, whether we inhabit a Park Avenue penthouse or a rural Burundi mud hut. There is perhaps no greater example of this diversity than the preponderance of "smart toilets" in Japan, which feature a seat warmer, a bidet, an automatic lid and remote flushing. Unfortunately, the contraption is Bluetooth-enabled and thus hacker-friendly.
"The toilet could be remotely controlled via a Bluetooth app that required no password protection," said Corey Williams, senior director of products and marketing at the cloud-based identity management company Centrify. "So anyone could remotely have the lid flapping, flooding the bathroom," he said.
James Carder, chief information security officer and vice president of the security intelligence company LogRhythm Labs, said that newer unmanned aerial vehicles, also known as drones, are more secure than those manufactured in the past. But that doesn't mean they can't still be hacked.
"The new models do have some built-in safety restrictions to take into account no-fly zones, but there is a hack for everything, and just as people have 'jailbroken' their iPhones, I would assume there will be a 'jailbreak' for drones as well," Carder said. "I have a feeling we're going to see quite a few cases where drones are used for more than just fun. In fact, they are already being used to aid in home robberies."
Sure, hijacking someone's toilet is just innocent fun gone awry. But Oded Vanunu, head of product vulnerability research at the IT security company Check Point Software Technologies, wants us all to remember that there are also apocalyptic hacking scenarios, such as a compromised nuclear power plant. This isn't hypothetical, either. It happened in April.
"A German nuclear plant was infected with malware designed to allow remote-control operations when connected to the internet," Vanunu said. "The operator at the plant claimed the plant's operation was not at risk, since it is isolated from the internet, [but] malware can still cause significant damage even without being connected to the internet. ... Fourteen USB devices in the plant were infected. If only one of them had found its way into the restricted sections of the network, the plant's whole operation could have been endangered."
Bruce Snell, cybersecurity and privacy director at the security software company Intel Security, said a security researcher had remotely hacked his own insulin pump. The researcher used a radio and an oscilloscope to decode the signals being sent from the control unit and disabled the insulin pump from up to 100 feet away. Alexander Heid, chief research officer at the cybersecurity company SecurityScorecard, conceded that he found the remote exploitation of medical devices disturbing.
"Security researchers procured some of the more popular medical equipment and proceeded to reverse-engineer the devices until exploitable vulnerabilities were identified," Heid said, citing a study conducted by the Industrial Control Systems Cyber Emergency Response Team. "The U.S. ICS-CERT have identified approximately 26 brands of medical devices that have unpatched vulnerabilities. These types of devices include drug infusion pumps, surgical and anesthesia devices, ventilators, external defibrillators, patient monitors and laboratory and analysis equipment."
Germany is the world's canary in the coal mine when it comes to emerging hacking scenarios. Not only was one of the nation's nuclear power plants the victim of hackers but also the products that its hardworking, taxpaying adults use in the privacy of their own homes are not safe, as a representative from a German software firm demonstrated in March.
"Several sex-toy manufacturers have launched products that can actually connect to smartphones and computers via Bluetooth, allowing users to control them remotely," said Filip Chytrý, threat intelligence researcher at the Czech security software firm Avast Software. "This technology in itself creates a gateway for hackers to intercept the Bluetooth traffic and interfere with the signal. However, this threat can be mitigated with encryption and other forms of authentication."
Sharing the highway with the average driver is a horrifying enough experience on its own. Having the car you're driving suddenly become possessed by alien forces is another matter entirely. Troy Gill, manager of security research for the Florida-based security firm AppRiver, said that widespread malicious hacking of cars is something that, thankfully, is not yet a mainstream practice. But it's terrifying nonetheless.
"Two white-hat hackers were able to take control of a Jeep Cherokee while a Wired reporter was behind the wheel," he said, referring to a July 2015 article in the publication. "They had control of the radio, AC, wipers and transmission. They were able to disable acceleration while the car was being driven down the highway miles away from their current location."
Thanks to hacking, printers are capable of causing the innocent more pain and suffering than the average paper jam or low-ink reminder ever could. In March, as if possessed by the ghost of Joseph Goebbels, printers on more than a dozen college campuses nationwide began mysteriously discharging neo-Nazi propaganda, thanks to white power "hacktivist" Andrew Auernheimer. So how is something like this possible?
"We've heard of a printer inside an organization being hacked, where the hackers gave the printer the stolen credentials to the company's email service provider account," said Tom Landesman, security researcher at the cybersecurity company Cloudmark. "The hacker then had the printer send spam, looking as if it came from the company, through the company's ESP account. Because the printer was on the network inside the company and not, for example, coming from a random IP in a different country, the activity initially looked normal to the ESP."
If your printer, car, toothbrush and toilet can be hacked, then it's a no-brainer that your router can be, as well. Nick Bilogorskiy, senior director of threat operations at the security company Cyphort, revealed how it's possible.
"The attacker connects to its web interface or another service that is exposed to the internet and uses a router vulnerability to gain full control," Bilogorskiy said. "Or one could hack a computer that the router's admin is using and use that as a channel into the router."
He said that it's often possible to gain the password of a router through a "brute-force attack," which is internet-speak for simply trying different passwords until you guess the right one. He said that this often works because many people leave the default username and password in place — "admin/admin."
Paul Lipman, CEO of the internet security vendor BullGuard, said that hackers can turn the appliance that Grandma uses to make a spot of tea into a high-tech weapon of thievery. He said that Wi-Fi enabled teapots in the UK have been compromised by hackers and used to obtain victims' usernames and passwords.
"Who knew that there were internet-connected kettles?" Lipman asked. "It illustrates the striking reality that most 'Internet of Things' devices incorporate very limited security protection, if any at all."