"I've Bought Some More Awful IoT Stuff": Developer Exposes the Crap Part of IoT
"They can access things like your email, Facebook, and so on."
It starts out so innocently. You’re walking through the store and you see a light bulb that connects to your phone via wifi and can change colors and hues through an app. “Now that’s futuristic,” you think. You buy and install and it’s all fun and games — until your phone gets hacked and identity stolen because of a light bulb.
That’s the argument being made by Matthew Garrett, a security developer, who’s been wading through the shallow end of the IoT — short for the “internet of things,” a growing category of wifi-enabled products in your home, car, everywhere, really.
“On the worst-end of the scale there are some that have allowed people on the internet to connect to your device and then cause it to run whatever they want, giving them access to your internal network,” Garrett, who’s been blogging about cracks in the IoT, tells Inverse. “They can access things like your email, Facebook, and so on.”
Garrett estimates there are thousands of these devices on the market today and says of the eight IoT light bulbs and wall sockets he’s tested in the past year, more than 75 percent have had serious security flaws.
He says hackers probably wouldn’t be able to directly access the information on your phone, but they could see what websites you’re visiting on your phone, and where your phone is connected to the internet, whether it’s at home or away at the local coffee shop. They could also trick applications and gain access to personal data that’s not directly stored on the device, such as information stored in the cloud.
That means there’s a possibility credit card information could be compromised just because you wanted remotely control your toaster through an IoT connected wall socket.
The worst part is, there’s not really much consumers can do. Regulators aren’t specifically looking at the security features and Garrett says large manufacturers such as Phillips and Belkin may be incentivized to patch vulnerabilities to save face, but smaller makers are less likely to do anything about it.
Security concerns have been floated for years now but it seems few are doing much about it. Garrett says he’s working with a manufacturer he can’t name that saw his work and wants to solve some of the vulnerabilities he exposed. Until there’s more regulation, he recommends buying from the larger vendors, even if it’s more expensive.