The S in IoT stands for security. You'll never secure all the Things

Opinion I was one of the first people to use an Internet of Things (IoT) device. It was Carnegie-Mellon’s Computer Science Department's Coke machine*. True, I didn't need to check on it since my school, West Virginia University, was 77 miles from CMU, but I thought it was really cool back in the day is that I could see what was what with the coke machine over the Internet*. That was then. This is now. Today. I'm less than thrilled by the IoT.

You see, while it wasn't true that smart toothbrushes were behind a reported Distributed Denial of Service (DDoS) attack, they could have been. More to the point, some DDoS attacks already start from the gadgets on your wrist, in your pocket, and scattered around your home.

For example, last year, Nokia noted in its 2023 Nokia Threat Intelligence Report that IoT botnet DDoS attacks increased fivefold from 2022 to 2023. Indeed, more than 40 percent of all DDoS traffic today comes from IoT botnets.

We should have seen this coming. The first significant IoT botnet DDoS attacks, which used the LizardStresser DDoS tool, wrecked the 2015 holiday season for many Xbox Live users when it knocked the service offline for days during the peak Christmas season. In 2016, LizardStresser hackers followed up with a 400Gbps attack backed by more than 1,200 video cameras.

It's only got worse since then. A lot worse. You might not think that small gadgets like smart lightbulbs, thermostats, and, yes, toothbrushes, could do that much damage, and you'd be right. Individually, they don't count for much. But, when you coordinate some of the more than 5 trillion - that's trillion with a T - IoT devices, it's another story entirely.

So, why is IoT security that bad? Let me count the ways.

First, IoT devices tend not to have operating systems as such, but rather firmware that also acts as an operating system. In short, any security problems in the firmware are easily accessible to a would-be attacker. Additionally, far too often, firmware hasn't been as security-hardened as operating systems.

In fact, way too many "smart" devices are using old, dumb software with known security problems. As the FBI noted in 2022, many medical IoT devices [PDF] run outdated, insecure software.

• Are you ready to back up your AI chatbot's promises? You'd better be
• Mozilla CEO quits, pushes pivot to data privacy champion... but what about Firefox?
• The Land Before Linux: Let's talk about the Unix desktops
• Your pacemaker should be running open source software
• Bricking it: Do you actually own anything digital?

How many? According to Armis, a security company, 39 percent of nurse call systems have critical, unpatched common vulnerabilities and exposures (CVEs). Oh, and infusion pumps, which provide fluids to patients? 30 percent of them have unpatched CVEs.

Would it surprise you to know that 19 percent of medical IoT units run on no longer supported versions of Windows? I didn't think so. I'd rather not go to the hospital anyway, but knowing that some of the equipment my life may depend on is unsafe? No, just no.

Making IoT attacks even easier, junkier IoT devices don't use secure networking. Insecure networks are also especially vulnerable to man-in-the-middle (MITM) attacks. That makes stealing credentials mindlessly simple.

All this stems from the simple fact that IoT security is an afterthought

A more obvious but all too common problem is that many IoT devices come with weak default passwords or, worse still, shared hardcoded passwords. Yes, it makes it easier for Joe public to set the gadget up, but it's also an open invitation for any hacker to enlist your device in a botnet.

Of course, these vulnerabilities could be fixed… if IoT manufacturers gave a damn about security. Many don't. Many don't update their firmware at all.

To them, your security is a cost. You bought the gadget, it's your problem now.

What can you do about it? Not a lot, to be honest. So, I prefer never to buy any "smart" device. You see, there is no "S" for security in IoT. Never has been, and I doubt very much there ever will be.

You can only buy from vendors that prioritize security. Finding out which ones do that can be almost impossible, as they don't make it easy to find.

I can say one thing, though: If an IoT device runs Windows, just say no. Windows is hard enough to secure in a computer; in standalone hardware, it's almost impossible. The simple fact that medical devices, of all the things you'd want to really secure, frequently run obsolete versions of Windows says everything I need about how seriously their manufacturers take security.

It all comes down to the bottom line. What truly matters to the many who make IoT devices is the M for money. They couldn't care less about securing software, especially keeping it patched and secure after it's in your hands. You're much safer with dumb devices than you ever will be with smart ones. ®

Bootnote

* Yep, Carnegie-Mellon’s Computer Science Department already had an internet-connected Coke machine back in 1992, and from the '70s, you could keep tabs on it from the university's server (

EMPTY   EMPTY   1h 3m COLD    COLD    1h 4m

).