What makes this trend so mind-boggling is that consumers know about the large number of security breaches happening on a daily basis. Getting a notice in the mail that your personal data might have been stolen is happening so often that it is white noise now. Even the thought of having to get a new credit or debit card is routine now. We have come to accept digital theft and we should not. It seems that most pople think that this only happens to big companies, why would someone want to hack a single device. Well simply put it is not just one device, it is all of them. The bad guys out there know about the almost complete lack of security in IoT devices and are exploiting it every day.
One of the most recent and rather frightening ones was a hack on the car control system in a Jeep. Charlie Miller and Chris Valasek showed off how they could take complete control of a car using nothing more than an off the shelf laptop and a mobile phone. They were even able to shut off the engine are well as the brakes to cause the vehicle to end up in a ditch.
According to Miller and Valasek’s research as many as 470,000 cars are vulnerable to this attack. Fiat Chrysler has already released a patch, but owners of the affected vehicles have to go in to get it or attempt to do it themselves. As we have seen in the past this could mean that the majority of vulnerable vehicles will stay on the road. The patch also does not mean that hackers cannot get in through another vector.
According to multiple researchers we have spoken with this type of flaw is common and not the exception. The services used by IoT devices are often not secured at all (many use Amazon web services with generic accounts). The component are also easier to purchase making testing by hackers all too easy. If they can identify a flaw at the hardware level they can often dive even deeper into systems using that hardware. Shows like Black Hat and Def Con are full of demonstrations showing how easy these devices are to break into and exploit.
In simple terms the bad guys are winning simply because the people responsible for building these devices are putting little to no effort in making them secure. They seem to think that there is some sort of blinder on malicious individuals that will prevent them from thinking about hacking them. Or they could just not care and are only concerned with building that revenue stream. Either way it is a bad way to think. As the number of attacks per day soar I am left wondering if we have already gone past the point of no return and have entered a place where the bad guys own the playing field. I sincerely hope this is not the case, but with more and more unsecure connected devices hitting the market it just might be.