• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Housing Technology Main Logo

Housing Technology

Housing | IT | Telecoms | Business | Ecology

  • Free Subscription
  • Contact
  • Home
  • Research
  • Magazine
  • Events
  • Awards
  • Recruitment
  • On Demand
Home / Magazine Articles / The internet of threats – Why security has to be a priority

The internet of threats – Why security has to be a priority

They say everything comes with a price. When it comes to the internet of things (IoT), the cost of convenience promised by these smart devices could be more than many users bargained for. The home network, router, online accounts and passwords… all are potentially vulnerable due to the lax security measures employed by many devices. Added to that, many of these devices are now being compromised and used to carry out large-scale web attacks. And yet if IoT manufacturers adopted better security practices, there’s no reason why the ‘internet of threats’ couldn’t be substantially reduced.

There are a number of ways these devices can be compromised. A common issue is poor configuration. Many vendors’ security designs rely on the assumption that the user will change the default security settings on their device. But often the user won’t bother at all. It’s here where the attacker has the advantage and can use the device to hop onto the home network. Products like the wi-fi kettle and coffee machine which can ‘leak’ the wi-fi pre-shared key (PSK), allowing the attacker to potentially take over the local network and access user data such as email addresses and account log-ins.

Then there’s the mobile app itself used to control the device. Mobile app problems include no SSL encryption, passwords hardcoded within the app, or insecure storage in the app, any of which can enable the IoT device to be compromised. If that mobile app talks to the manufacturer’s web service and the connection is not properly secured, an attacker can intercept user data. For example, it’s common for manufacturers to deploy encryption to make it harder to access their database but if the key for the encryption is included in plain text within the app, this security mechanism can be bypassed and the traffic decrypted.

When it comes to web services, IoT devices can also be targeted using cross-site forgery requests (CSRF); these make the device do something by making the user’s browser do something because both the browser and the device are sitting on the same local network. This might be changing a setting on the device if it’s sitting on the LAN or running some code on that device if there’s a code-injection vulnerability. A number of webcams, CCTV and DVR devices have been shown to be vulnerable to this attack, in some cases allowing cyber-criminals to harvest real-time images from inside the home.

When it comes to the hardware and firmware itself, there are often functions left in place that users will never use such as Telnet or hidden functionality in a web interface, and malware such as Mirai has been written to exploit these. Such ports offer a convenient stepping point onto the device as they are often available to anyone on the LAN (which is why flaws in web interfaces can be exploited with CSRF because the browser is simultaneously on the internet and the LAN). Firmware is often not encrypted or signed so the attacker can simply download it, unpack the firmware and repack it enabling the attacker to compel the device to download their evil firmware.

Within the confines of the home, IoT devices communicate over radio-frequency protocols such as wi-fi, Bluetooth, Zigbee and Z-Wave, all of which, while secure, can be abused if poorly implemented. If the device uses Bluetooth and has a default PIN (or no PIN at all), it’s possible to gain access and control of the device. For example, both the My Friend Freddy Bear and My Friend Cayla interactive toys have no pairing PIN, making them susceptible to attack.

At this point, we’ve largely confined ourselves to consumer goods but other smart systems are also vulnerable. For example, smart thermostats that allow heating and cooling appliances to be activated remotely by the user can also be taken over. A recent proof-of-concept showed how a smart thermostat could be loaded with ransomware, effectively forcing the user to pay up a bitcoin ransom or see their heating bill soar. Another smart thermostat has an insecure update mechanism that allows an attack to be carried out remotely, with over 300,000 of that particular brand deployed.

Large IoT deployments are attracting the interest of cyber-criminals intent on harnessing that collective power. Several large-scale DoS attacks identified in the latter part of 2016 were traced to IoT-powered botnet cannons which had become infected through exposed Telnet ports, which used the devices’ default credentials. These were used to carry out DDoS attacks on websites and internet companies, from Krebs Security to OVH and Dyn, resulting in some web services such as Amazon and Twitter becoming inaccessible. These attacks were unprecedented, with over one terabit per second (1Tbps) of data being used to bombard the targets at their peak; power that came from an army of IoT devices harvested using Mirai malware.

It doesn’t take a great stretch of the imagination to conceive how IoT devices could be used to carry out widespread attacks in the future, with the end-game no longer being user credentials but mass extortion using ransomware or perhaps orchestrated blackouts using thermostats to ramp up power consumption. Addressing these security issues is therefore of the utmost urgency and yet the rollout of IoT devices continues unabated.

There is a complacency within the industry which is under the misguided assumption that any anomalies can be fixed through over-the-air (OTA) updates. This assumes the user will either comply and download the update or that an automatic update mechanism is in place. It doesn’t allow for the ‘fit and forget’ devices such as lightbulbs, thermostats and burglar alarms which will either be deemed too low cost to warrant support or remain unpatched due to inertia.

Neglect could see IoT manufacturers held to account by consumer groups and even sued. Lobbyists in several countries across Europe are criticising the My Friend Cayla doll, which is alleged to have compromised children’s privacy, for example. The question is whether culpability will stop there. How far down the chain will responsibility go for breaches of user privacy and user data? Could housing providers that rollout smart home-heating systems, for example, also be seen as culpable and be held to account? The only way to safeguard against this is to ensure cyber-liability insurance is in place to covers these contingencies and to demonstrate that due diligence was undertaken before the deployment of these technologies. Otherwise, that roll out of smart IoT systems could cost you in the long run.

Ken Munro is a partner in Pen Test Partners.

See More On:

  • Vendor: Pen Test Partners
  • Topic: Infrastructure
  • Publication Date: 055 - January 2017
  • Type: Contributed Articles

Primary Sidebar

Most Recent Articles

  • Artificial intelligence in housing
  • Mobysoft – Data problems affecting complaints’ handling
  • Data, AI and private-sector strategies
  • Smart repairs & smarter homes
  • From firewalls to fortresses
  • Achieving three quick wins in AI
  • Rebuilding Selwood Housing’s IT infrastructure
  • Are you ready for organisational AI?
  • PIMSS releases AI Document Reader for compliance
  • Calico Homes cuts arrears with RentSense
  • FourNet launches digital transformation index
  • New income recovery software from Voicescape
  • Asprey Assets at YMCA
  • I love spreadsheets…
  • All watched over by machines of loving grace – AI assistants and adult social care
  • The rent revolution – The case for AI-powered payments
  • Unlocking safer living through data
  • Aareon acquires MIS ActiveH
  • Vericon launches MouldSense
  • Back to the future at Housing Technology 2025
  • FireAngel wins Which? Award
  • Maximising income and preventing homelessness
  • Anchoring digital innovation with Plentific
  • Cynon Taf Community Housing gets Housing Insight’s Arrears Manager
  • Tenants, AI & your biggest compliance risk
  • EDITOR’S NOTES – Data, standards & straight-through processing
  • AI as a social housing expert
  • South Yorkshire Housing halves arrears with Mobysoft
  • Bromford Flagship wins Aico’s smart-home competition
  • Putting VIVID’s customers in control of their tenancies

Footer

Housing Technology Main Logo
  • Instagram
  • LinkedIn
  • YouTube
  • Contact
  • Free Subscription
  • Book an event
  • Research
  • Update Your Subscription
  • Privacy Policy

Welcome to the housing Technology – Trusted Information For Business Professionals in HOusing

Housing Technology is the leading technology information service for the UK housing sector and local governments. We have always believed in the fundamental importance of how the UK’s social housing providers use technology to improve their tenants’ lives.

Subscribe to Housing Technology to gain market-leading research, unsurpassed peer networking opportunities and a greater understanding of your role to transform your business.

Copyright © The Intelligent Business Company 2025 | Terms and Conditions | Privacy Policy
Housing Technology is published by the The Intelligent Business Company. A company with limited liability. Registered in England No. 4958057 | Vat Registion No. 833 0069 55.

Registered Business Address: Hoppingwood Farm, Robin Hood Way, London, SW20 0AB | Telephone: +44 (0) 20 8336 2293