internet of things - Elixis Technology

Some designers have gotten into a bad habit of assuming a device will always have power and/or internet. No design is so flawless that it never fails, because even a functionally ‘perfect’ creation is going to have encounters with other objects that aren’t perfect. Self-driving cars have to account for children and animals running into the street without looking, for instance – just because the car technically has right-of-way doesn’t mean it can keep going forward at speed in that scenario.

But that’s not as cool as pretending the device is never going to have problems, and so we’re watching some companies design as though their product is the first to never have defects.

Backup Eyes Are For Wimps

Tesla’s famous choice to go for visuals-only assisted driving in place of a combination system like many auto-braking cars use has led to some hilarious results as the AI tries to figure out what it’s seeing ahead of it (for example – if the moon’s low in the sky, it can look like an upcoming yellow light, as some Californians discovered) but it also leads to a bigger problem in that the eyes it has have to work. That system has to work. If the cameras can’t see, or if the system glitches, or if an update takes out the car’s vision accidentally, then what? You just don’t get to use the feature you paid money for. If it’s discovered that a visual-only system actually can’t compensate for stuff like the moon in the sky and LIDAR actually is necessary, well. What do you even do? Recall the cars? Demand more software? The vision that comes naturally to people, who are usually born with at least some sight, is not so natural to machines, which mostly ‘think’ in terms of text, not vision or sound. And, where humans can immediately parse ‘surprising’ visuals where they don’t belong, even interpreting those visuals at all has to be taught to a machine. Why does a car need to know what a clown is? Because it might be a pedestrian, or painted on the side of an ice cream van. Not knowing what a clown is (and not knowing what an illustration is) can break the AI’s vision and confuse it. LIDAR doesn’t need to know what a clown is, it just needs to know whether or not there’s a three-dimensional object in front of the car.

For that matter, most of the new tech in cars doesn’t have a plan for the TV in the dash failing, which is starting to contain more and more of the functions that physical knobs and buttons used to. Radios can die, yeah, but they don’t usually take out your ability to see behind your car when they do, which those center console screens threaten. The rear-view backup cameras got popular because the average car’s rear windshield is getting smaller for aerodynamics’ sake. Without it, backing up is dangerous again.

No Backup?

If you’re invested in vlogging, sharing photos, et cetera, and you really care about the stuff you’ve made, back the videos and photos up somewhere. A YouTube vlogger by the name of Meghan Rienks discovered that not only does YouTube not back up videos for more than 30 days, it also has a total maze of a support chain – meaning that by the time she got someone to actually listen to her issue and address it (at first, they didn’t understand that the videos on the channel weren’t hers and that her original videos had been deleted and replaced, and then they didn’t have an answer for what to do about it, and then she got conflicting answers about how she could get them back, etc.), all of the videos she’d uploaded were irrevocably gone. She was understandably upset – while it was internet content, it was also a sort of diary for her, and Youtube had been a place to share and store those videos for free. Internet archives are great, but YouTube consumes a famously huge amount of storage space, so there’s not really an archive up to the task of memorializing all of YouTube. The same goes for Vine: videos that didn’t get meme-d and recorded elsewhere were effectively lost to the void, and if the original creators didn’t download their own videos, they’re gone forever.

Just because a service has your stuff available now doesn’t mean it always will, so if you’ve made something for Instagram, Twitter, Tumblr, Napster, Soundcloud, etc. and you’re proud of it, invest in a backup somewhere! You never know when the terms of service will update and remove stuff for you (cough cough, Tumblr) or when a service will just blink out of existence. Some stuff stays on the internet forever – other things do not.

Don’t Buy Devices That Need An App

Don’t buy devices that only work when used with an app. As an example, say a toy car asks that you download an app to your phone in order to use it. It might not even come with a controller separate from the app, forcing you to download the program if you want to play with the toy.

You can probably see a couple of issues already: if the toy doesn’t sell well, they’ll stop making it. If they stop making the toy, they may either stop supporting the app after a couple years or update it for new app-controlled toys, leaving the one you have in the dust. Or, if Apple determines that the app doesn’t serve its function well enough, they may remove it from the store. Or, by the natural progression of technology, the app may be functional even after the company stops supporting it until an iOS update breaks it. But if the company isn’t interested in fixing it, you end up having to either delay updating your phone or not play with the car. A plastic controller can break or corrode, but if it doesn’t connect to the WiFi, access to something you already paid for can’t be revoked because of updates. The app is likely collecting data on you as well, not only in how you’re using the toy but in other apps on your device. It’s very easy to give too much access to an app without meaning to – TikTok, for example, probably has access to your contacts unless you told it specifically that it wasn’t allowed to look at those when you downloaded it.

That’s not a huge deal when it’s a toy car. You’ll probably be sick of playing with it before any of the issues with the app become apparent, although that means if you find it on the top shelf of your closet, you can’t just dust it off, replace the batteries, and go. Now, extrapolate that to devices that want you to use apps to control them. Thermostats, washing machines, security systems, and more. It’s a nightmare.

The company can effectively break your machines whenever it wants. It extends beyond simple household machines, too: a startup that had given some partially blind folks their vision back went defunct, and then those people lost their sight again because the software used in the process wasn’t made to set-it and forget-it, it was made with updates in mind in case the tech got better. Well, it did, but nobody is there to put it in.

Back to household items, it’s much easier to avoid problems before they start than to plan on replacing app-based machines if they start sucking. Some of these things are expensive to install, and many have only a fraction of their original functionality if you don’t download the app that goes with them. The company making the washing machine or coffeemaker is unlikely to ditch their app after a year or two like the toymaker might be, but recurring subscription fees are always just a bad CEO away. Look at what happened to Adobe and Photoshop – things that were one-time purchases became recurring subscriptions. Adobe is hinting that Pantone Colors might start costing money. Some of the app-based smart devices already are recurring subscriptions. They stop working when you stop paying, so you’re left with items you spent money on but can’t use to their fullest because you didn’t want to pay extra for what used to be included (which is totally reasonable).

Don’t buy items that use apps instead of providing functionality inside the device itself. Apps can provide extras, like storing your dryer preferences on a WiFi-based dryer (although there’s still a pretty good shot they’re using that app to harvest data on your dryer use) but if the device literally doesn’t work without the app, buyer beware – they’ve got a heck of a grip on whatever you bought.

Internet of Things items are convenient, otherwise they wouldn’t be selling. At least not next to regular, non-wifi-enabled items. They don’t even have to be connected to the internet, and they should stay that way!

An Internet of Things item, or an IoT item, is a device that has a WiFi- or network-enabled computer in it to make the consumer’s use of it easier. This includes things like WiFi-enabled/networked washing and drying machines, ovens, fridges, mini-fridges, coffee makers, lamps, embedded lights, etc. anything can be an IoT item, if it’s got WiFi capability.

Network Entry Point

Internet of Things items, when connected to WiFi, represent a weak link in the chain. They’re poorly protected, they’re designed to favor user friendliness over all else, and they’re usually always on. You likely don’t unplug your fridge or washing machine when you go to bed – that computer may sleep, but it’s not off. You probably don’t disconnect the internet when you go to bed, either. Some devices take advantage of this, and only schedule updates for late at night so you don’t notice any service interruptions. Unfortunately, their strengths are their weaknesses, and an always-open port is a dream for hackers.

Outdated Password Policies

Internet of Things items are rarely password protected, and if they are, many users don’t bother actually changing the password from the factory default. This makes them excellent places to start probing for weaknesses in the network!

Assuming someone’s hacking into a place to ding it with ransomware, there are a number of worthy targets: corporate offices, nuclear facilities, hospitals, etc. are all staffed by people, and people like their coffee. A well-meaning coworker bringing in an internet-enabled coffee machine for his coworkers is suddenly the source of a critical network vulnerability, an open port in an otherwise well-defended network!

If the coffee machine, or vending machine, or the lights are IoT items, they need to be air-gapped and separated from the main network. They don’t need to be on the same network supplying critical data within the center. The devices are simply unable to protect themselves in the same way a PC or phone is! There’s no way to download a suitable antivirus onto a coffeemaker. If something gets past a firewall, and that password’s still default or nonexistent, there’s no second layer of protection for IoT devices.

Malware

For example, hacking into a fridge is not nearly as hard as hacking into an old PC. Even great antivirus can struggle with traffic coming from inside the network. Even worse, IoT devices are often missed in security checkups anyway. When McAfee or Norton or Kaspersky recommends you scan your computer, are they offering to scan your lightbulbs as well?

Once they’re in, the entire network is vulnerable. Ransomware events with no obvious cause, malware that’s suddenly deleted all the files on a server, stolen data and stolen WiFi – all of it’s possible with IoT devices. There’s more to gain than just bots for the botnet, which is why hackers keep going after these IoT items.

IoT devices are also much easier to overwhelm to gain access, even with firewalls and effective load balancing. DoSing an IoT item can be as simple as scanning it. No, really. A team in the UK found that they could shut down turbines in a wind farm by scanning them. The computers inside weren’t equipped to handle both a network scan and their other computing duties at the same time. Many user devices are in the same spot or worse!

Security

Besides turbines, items like cameras and door locks probably shouldn’t be connected to the internet just yet. A terrifying string of hacks let strangers view doorbell and baby monitoring cameras, for example. The cameras themselves were difficult to defend even though the network was protected by a router. This is terrible for obvious reasons and class action suits were filed soon after. It even happened accidentally; Nest users would occasionally end up viewing other people’s cameras unintentionally, a bug in the system that was only fixed after complaints were made.

A consistent pattern is forming, here: security patches are only issued after vulnerabilities are discovered by the consumer! Any other type of programming wouldn’t get away with this without some public outcry. You shouldn’t have to become a victim of a security flaw to get it fixed.

And then there’s things that physically interact with the security features of a house, like electronic locks. There’s nothing wrong in theory with a password lock. However, electronics are not inherently more secure than physical locks, and adding in WiFi only gives lockpickers another ‘in’. Hacking the lock could lead to being locked out of your own home, or worse. Besides, a regular lock will never unlock itself because its battery died, or because you sat down on the fob while getting on your bike or into your car. If you do want a password lock, it’s better to get one that’s not network enabled.

We aren’t quite at the point where hacked self-driving cars are a legitimate issue, although the danger is growing on the horizon. Cars are also poorly protected, computer wise.

BotNets

The fridge doesn’t need a quadcore processor and 8 GB of RAM to tell you that it’s at the wrong temperature, or that the door’s been left open and you should check the milk. The voice-controlled lightbulbs only need enough power to cycle through colors. IoT items are weak. But not too weak to be used for things like Botnets, even if your main PC wards off botnet software.

Botnets are networks of illegitimately linked computers used to do things like DDoSing, brute-forcing passwords, and all other kinds of shenanigans that a single computer can’t do alone. By combining the computing ability of literally thousands of devices, a hacker can turn a fridge into part of a supercomputer. No one ant can sustain an attack on another colony, but an entire swarm of ants can!

This is another reason tech experts are worried about IoT items becoming widely used. Their basic vulnerabilities give skilled hackers the ability to ding well-protected sites and fish for passwords even if the network they’re targeting doesn’t have any IoT items on them. It’s a network of weaponizable computers just waiting to be exploited. Remember, password protect your devices, and leave them disconnected if you can!

Source:

https://eandt.theiet.org/content/articles/2019/06/how-to-hack-an-iot-device/

https://danielelizalde.com/iot-security-hacks-worst-case-scenario/

https://cisomag.eccouncil.org/10-iot-security-incidents-that-make-you-feel-less-secure/

https://www.courtlistener.com/docket/16630199/1/orange-v-ring-llc/