Whether it’s poorly reported stories of hacked Samsung TVs, sadly hilarious tales of hacked teddy bears, or even more bizarre claims about wiretapped microwaves, real, fake and overblown accounts of all the things that can happen with the devices we choose to connect to the internet dominate the news. We’ve brought this stupid future on ourselves.
Art by Angelica Alzona.
Over the last few years, we’ve been connecting anything and everything we can to the internet under the guise of simplicity. You can connect light bulbs, refrigerators, sex toys, pet feeders and a ton more. These devices are usually referred to as Internet of Things (IoT). How poorly thought out they are is already a running joke, but that isn’t stopping them from coming out at an increased pace.
There are a lot of potential problems with IoT devices, but the two most prevalent and worth talking about issues are security and usability.
Security On IoT Devices Is Already Bad and Consumers Don’t Seem to Care to Make it Better
Security with IoT devices is so bad that when we hear about a hacked IoT device, we generally release a large collective shrug. This isn’t a huge deal yet, but it’s going to be.
Let’s back it up a bit first though. A few different security scenarios are at work here. Hacking into your IoT devices to get into your network, hacking into your devices to create a botnet, and spying on you.
To start at the top, IoT devices are hard to secure. For the sake of usability, they often have weak security. Connecting to an internet-connected light bulb using two-factor authentication and a strong password would be a pain in the arse, so instead, they use simplified defence systems that are easy to subvert. Out of the box, a light bulb broadcasts a single Wi-Fi signal and asks you to connect to it and enter your Wi-Fi network information. If a hacker has good timing and is close to your house, they could easily spoof that light bulb to get your Wi-Fi login. The scenario is rare, especially considering how close they’d need to be. That distance is already expanding though, including one light bulb hack The New York Times reported worked from up to 70m away.
We have seen similar security holes in everything from a Wi-Fi connected Barbie to a Jeep. Samsung had a smart fridge that didn’t check SSL certificates, which meant someone could use a man-in-the-middle attack to snag your Google login information. This was all pretty niche until a hack in October of 2016 used IoT devices to shut down massive portions of the internet.
It turned out the disruptions were the effect of a distributed denial of service attack (DDoS). That’s when hackers overwhelm websites with fake traffic, causing the site to break. In October, the victim was a company called Dyn, which is one of the entities that route web traffic. Hacked IoT devices fuelled that DDoS. Hackers used a system known as the Mirai botnet, which scans the web for IoT devices that still have factory default usernames and passwords. It then hacks that device and uses it to pound a website with traffic. In the case of Mirai, it was our own neglect shining through. An astounding number of people don’t change default logins on their devices.
Spying works in a couple of different ways. The more traditional idea most of us have is something like the CIA using a Samsung TV to spy on people’s conversations. This should have come as no surprise considering last year former US Directory of National Intelligence said, “In the future, intelligence services might use the [internet of things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.”
That whole CIA thing was a bit overblown because it required a thumb drive attached to a TV and the whole thing got patched with firmware updates either way, but it sets a scary precedent for surveillance. It’s not only the government that’s interested in spying, it’s also the companies that make these devices.
For example, the We-Vibe sex toy recently reached a $US3.75 million ($4.89 million) settlement after researchers found that it illegally collected data without user’s consent. That breach of privacy was only discovered because security researchers located a software flaw that could allow a hacker to remotely control the vibrator. They then discovered that user preferences and statistics were sent to We-Vibe’s servers. We-Vibe isn’t the only company doing this. Vizio recently settled for illegally collecting user data on smart TVs, and Amazon is handing over audio recorded by an Echo in a murder case.
A lot of these issues are our own fault. We’re buying these devices even though we don’t need them. We’re connecting TVs with microphones to the internet, even though we have dozens of other devices that work better than any smart TV ever will. Then, to top it off, we neglect to ever change the password on these devices.
Beyond that, our own paranoia has made things much worse than they need to be. Everyone I know has come to accept the idea that the government is spying on us through television sets. So when Wikileaks released information about the CIA using Samsung TVs to spy on people, nobody cared. This isn’t new thinking either. Snowden’s leaks brought the same reaction. That carefree negligent attitude has already led to a few mostly harmless hacks. But it’s certainly not going to get better moving forward.
The Future Will Get Stupider and Your Life Will Not Get Better
Security concerns aside, there’s also the dubious claim that any of these devices need to exist in the first place. Most IoT devices seem to spawn from brainstorming sessions that ask one question: “Wouldn’t it be nice if I could check this on my phone?”
Like, wouldn’t it be nice if I could control a crock pot from my phone? Or wouldn’t it be nice if my rectal thermometer stored data online? Maybe you’d like to know how many eggs are in the fridge, in which case, wouldn’t it be nice if some magical device existed that could tell you that?
Connecting a device to the internet isn’t much more than a scheme to make you buy a new version of something you already own. One of the best things about a crock pot is the fact that you set it and forget it. You (hopefully) don’t use a rectal thermometer enough that you need to track that data online. If you need an app to tell you how many eggs are in the fridge you have bigger problems than deciding what to buy at the grocery store. Does the Wi-Fi signal even work in your fridge anyway?
Even useful IoT devices still have serious issues. If the internet goes down, you can’t control your smart thermostat. Worse, you not might be able to feed your cat using your overpriced internet-connected pet feeder. If a company goes out of business, as was the case with Revolv, a smart home hub startup purchased by Nest, all your devices are worthless. Even if you love the idea of IoT stuff, there’s still the fact that almost none of these devices communicate with each other. Even your hacked together crappy house of the future requires 25 apps to trigger the dumb “party mode” you never use.
I’ve yet to see an IoT device that actually improves my quality of life on a grand scale. When it comes to accessibility, something like an Echo can make some people’s lives easier, but it’s hard to see how it helps consumers at large. Sure, setting up my thermostat is now slightly easier than it was on that junky LCD screen, but does it even need the internet for that? I can use a touchscreen on the device itself. The extra internet-related features seem like diminishing returns beyond turning a boring device into a fun toy for a day.
There’s no sign that any of this will change. In fact, all signs point to the Internet of Things just getting stupider and stupider until eventually everything is online.
IoT seems unstoppable. One researcher suggests we’ll have over 80 billion smart devices on the internet by 2025. That suggests that everything in your home will be online. From your fridge to your office chair. We keep buying these devices because we either fall for the upsell or we still dream of the smart home promised to us by The Jetsons. IoT device makers aren’t trying to innovate. They jam a barebones computer into a preexisting device, make an insecure app to go with it, then call it a day.
What happens next is at least partially up to us. You can demand better security. Or you can refuse to buy any of this crap to begin with. Whether that will actually change what device makers do is doubtful, but at least you won’t have to worry about the government spying on your microwave.
If nothing else, change your default password.