Blog post

On Internet of Things Security and You!

By Anton Chuvakin | January 14, 2014 | 7 Comments


A discussion of Internet of Things (IoT) security often sounds abstract and futuristic (exception). It sometimes makes it sound as if the risks of IoT are all theoretical and abstract. Let’s bring this to life … NOW!

Except for computers, phones and a tablet, here is what I have asking for IP addresses in my home today:

Device Internet use Risks
TV Netflix, YouTube Spying on content watched /LOW/
BlueRay player Netflix, YouTube Spying on content watched /LOW/
Security camera set Motion alerts via email (remote viewing only inside firewall) Disabled by burglars, spying on deliveries, home presence, etc /LOW-MED/
Thermostat Programming, status reporting, remote on/off Equipment malfunction, spying on home presence /MEDIUM/
Garage door Status reporting, remote open/close Burglars opening the door, spying on home presence, equipment malfunction /LOW/
Printer Not used presently, LAN only Spying on content printed /LOW/

From the table above, you can see that I consider most risks of what I currently have from the IoT domain to be LOW, except for the thermostat. This exciting Twitter thread explains why (Nest + “Stuxnet” = Hilarity Ensues!)

What I may consider in the future:

  • Kitchen equipment (not physically able to cause a fire)
  • Car unlock (insurance takes care of most of these risks)
  • Other home automation (lighting, sensors, more cameras, etc)

Will never, ever, ever consider (at least not until IT/OT security state of practices changes dramatically in a now-unthinkable way):

  • Main house door lock/unlock
  • Anything that can cause a fire (at least, not without hardware – rather than firmware – safeguards)
  • Anything that can cause a flood (at least, not without hardware – rather than firmware – safeguards)

What do we learn from this?

  1. Operational Technology (OT) security and IoT security would be a fun topic in the coming years if not decades. You think IT security is fun now? Just you wait…
  2. Except for maybe the “iDevice maker”, vendors who focus on and excel in hardware royally suck at software (if they can barely write a UI, do you think they can write secure TCP/IP drivers?).
  3. Stakes are mostly low today (!), and the risk in IoT is low because the value is low and the threat is low (while vulnerabilities are high!). Said value will skyrocket and so will the threat. Will vulnerabilities subside? Have they elsewhere?

Add 1.-3. up…. see that explosion on the picture? BOOM!!!

Comments are closed


  • Jeff Hall says:

    You missed VoIP and Vonage, Skype, etc. Also, Whirlpool introduced an Internet connected oven a number of years ago. Combination oven/refrigerator so that you could put meals in the oven, keep them fresh and then cook them so dinner was ready when you got home. You could adjust the oven via the Internet if you got waylaid on your way home. However, you could also clean you oven via the Internet and while I do not know if any fires resulted, I do know that the cleaning feature while gone got removed.

  • Mark O'Neill says:

    It’s also noteworthy that some smart lightbulbs are connected to WiFi even when turned off (hat-tip to Tom Raftery here: Users don’t wouldn’t consider a *lightbulb* to be an “always-connected Internet device” or consider it a security risk. As you mention, this makes security for Internet of Things very real, and not theoretical anymore.

    One of the big issues is patching. It’s unreasonable to expect users to patch devices such as lightbulbs. In any case, the devices may not have the processing power for security requirements. The good news though is that, since these devices use APIs to transmit data, “virtual patches” can be applied at the API layer. This makes IoT security into an API Security problem (Full disclosure – I am from an API Security vendor – Axway/Vordel). I’ve posted my thoughts on the intersection of API Security with IoT Security on my blog here:

  • Protection of the IoT will certainly be a huge market. The main area of complexity will be adding context to the authN and authZ interactions between objects. Differential access between say the thermostat manufacturer, the owner and the maintenance supplier needs to be based not only on who, but on how and why.

  • @Jeff I didn’t miss it; I just don’t own one of those and sort of don’t plan to.

    >could also clean you oven via the Internet

    This does sound freaky as oven cleaning is long, high-temperature and produces lots of smole (->fire alarm triggering = silence it over the internet? :-))


    Re:patching. This issue is truly scary indeed! Many of these are designed to be unpatchable YET running stock OS

    Re:bulbs? Why are those security risk?

  • Mark O'Neill says:

    Re:bulbs? Why are those security risk?

    I could see scenarios where, by tracking lightbulb usage, you can monitor someone’s comings-and-goings (e.g. lights switched on at 2am indicate they came back late from a night out). Or for a burgler to find out whether a home if currently occupied or not. Admittedly, some smart meters provide this level of granularity on electricity usage anyway. But I think it all goes to show that the “always connected” nature of household devices opens up a whole new dimension for security (and privacy).

  • @Mark That makes sense – spying on presence using wifi bulbs is probably doable. Sadly, nearly every connected device can allow this, from a thermostat to my by-far-least-favorite one, the wifi door lock 🙁