Monday, November 14, 2016

Who cares if someone hacks my driveway camera?

I keep hearing something from people about IoT that reminds me of the old saying, if you’ve done nothing wrong, you have nothing to fear. This attitude is incredibly dangerous in the context of IoT devices (it’s dangerous in all circumstances honestly). The way I keep hearing this in the context of IoT is something like this: “I don’t care if someone hacks my video camera, it’s just showing pictures of my driveway”. The problem here isn’t what video the camera is capturing, it’s the fact that if your camera gets hacked, the attacker can do nearly anything with the device on the Internet. Remember, at this point these things are fairly powerful general purpose computers that happen to have a camera.

Let’s stick with the idea about an IoT camera being hacked as it’s easy to believe the result of a hack will be harmless. Let’s think about a few possible problem scenarios. There are literally an infinite number of these possibilities, which is part of the problem in understanding the problem.

  1. The attacker can see the camera video
  2. The attacker can use the camera in a botnet
  3. The attacker can host illegal content
  4. Send spam
  5. Mine bitcoins
  6. Crack passwords
  7. Act as a jump host

You get the idea. The possibilities are nearly endless, and as Crime Inc. continues to innovate, they will find new uses for these resources. Unprotected IoT devices are going to be currency in this new digital resource gold rush. The challenge the defenders face is we can’t defend against a threat that hasn’t been invented yet. It’s a tricky business really.

What happens if it’s doing something illegal?

Just because you don’t care about your camera being spied on doesn’t really matter. The privacy angle isn’t what’s important anymore in the context of IoT. People who had cameras that were part of the botnet probably didn’t care about the privacy. I bet a lot of them don’t even know their cameras were used as part of a massive illegal activity. I don’t expect everyone to suddenly start to watch their IoT traffic for strange happenings. The whole point to this discussion is to stress that there are always many possible layers of problems when you have a device that’s not protected. It’s not just about what the device is supposed to do. At this point nearly everything that can attach to the Internet is more powerful than the biggest computers 20 years ago. By definition these things can do literally anything.

Things are going to happen we can’t yet imagine, those are the use cases we have to worry about. We need to be mindful about what we’re doing because our actions (or inactions) can have unforeseen consequences. When we talk about hacking an IoT device, most people are only worried about whatever job the device has, not the ability of the device to create other harm, such as a huge DDoS botnet. Claiming you have nothing to hide isn't an excuse for ignoring your IoT security.

Comment on Twitter