This worries me and has overtones of the Y2K problem in the wayback machine. Think I'm exaggerating? Here's what Google search trends says:
IoT security spiked in October 2016 around news of the Mirai IoT botnet which I wrote about then and noted it was a tipping point. The search trend seems to be on the upswing again after the holiday break (and the CES madness). So with predictions of billions of connected devices coming our way (or a trillion by 2030 if you believe #Softbank CEO, Masayoshi Son) the concept of them all being hacked, disabled or generally used for malfeasance is getting everyones attention. The US government in the form of the FTC has got involved with a creative solution; a contest with cash prizes called the:
Sounds pretty cool so here is my quick thought experiment on how this might play out. The Feds want a tool that the average homeowner can run on their favorite device (guessing it has to be a multi platform mobile App) and find unprotected IoT devices lurking on their home network. For a quick sanity check I decided to look at how many devices are or have been connected to my home network and I should know better but was surprised how many devices I have connected and this isn't meant to be a brag but a cautionary tale. I'm also a little leery about too much description here because I don't want to get hacked!
We are a family of 4 and I admit to a tech addiction but we probably aren't that different from many families today; here's our list:
- 4 iPhones
- Tivo DVR
- Apple TV
- 4 laptops
- 2 wireless printers
- TV with direct Netflix connection
- Video doorbell
- Smart irrigation controller
- Temperature sensor
- Alexa by Amazon
- Dog tracker
- 3 iPads of various vintages
- Desktop PC's (3)
That's 25 devices with IP addresses on the network and I haven't indulged in a NEST or lighting controllers yet so its easy to see how we can get to billions of connected devices and this is just wifi on a single home network. Interestingly the wifi routers console showed that 47 devices have been connected to the router at some point.
So my thinking is the App is available on iTunes and Google Play (as you might imagine there are already some network apps available but none seem to focus on security) and after downloading it does this:
- The user logs onto their router (could be their office/home; side benefit is they must change their password from the default) and they identify the devices connected to the router.
- This is the moment of revelation! The user sees all the devices connected to their network. When looking at my device list in the router console though many of the names used are less than explanatory. Apple TV was obvious but dp-452xxxKM turned out to be the Amazon Echo which identified itself just as "LINUX".
- This is the key step in the process; identifying which devices are vulnerable and then how to secure them. There is a search engine for Internet connected devices called Shodan which has an API so that might be one step to take.
- Finally the App could lock the network so new devices couldn't be added unless there was security enabled.
So that's my take on the contest, if anyone wants to write the App I will help submit for the prize. If you have other ideas please comment below.