The rapid expansion of the Internet of Things (IoT) has been a cause of great concern for data security analysts, and the Federal Bureau of Investigation has recently weighed in on the gravity of the situation, releasing a wide-ranging public service announcement describing the current risks and providing recommendations on the protection of personal and business-related data. The IoT refers to the vast number of devices that connect to the Internet through wi-fi and transmit data, apart from more traditional computer-like devices such as laptops, tablets, and smartphones. The IoT includes devices such as smart televisions, cable boxes and streaming devices, printers and other office equipment, security systems including security cameras, devices used to adjust lighting and heating automatically, and wearable technology devices such as FitBits. Because such devices generally connect to the Internet and transmit data without human direction, the FBI warns that they present a high risk for attack by malicious hackers and cybercriminals who can commandeer the devices and exploit them in order to steal data and use them in other malicious manners.

Risks Presented by the Internet of Things

The FBI’s release indicated that a central risk associated with IoT devices is that cybercriminals can exploit the Universal Plug and Play Protocol (“UPnP”), which is a process that allows devices to self-configure in order to remotely connect and communicate with an Internet network without authentication. The UPnP, while making use of the devices more convenient, has the unintended effects of making the devices more susceptible to exploitation by cyber actors. When cybercriminals are able to exploit the UPnP, they can change the configuration and run commands remotely, which can then enable them to harvest information from the networks and even eavesdrop on users through auditory and visual inputs.

Other risks pointed out by the FBI include:

  • The exploitation of default passwords to send spam and malicious emails
  • Overloading of IoT devices to render them inoperable, or physical destruction of the devices
  • Interference with business transactions and theft of credit card numbers

Examples of Specific IoT Threat Scenarios

The PSA discusses a number of potential scenarios involving IoT device-related data breaches, including the following:

  • The use of default passwords on home security monitors, baby monitors, and business security monitors by cyber actors to hack into the system and observe the data captured by the monitors without being detected
  • The ability of cyber actors to gain access to administrative business and home networks in order to disarm security procedures, change thermostat levels, open access doors, and remotely monitor the owner
  • The retrieval of health care information from health devices that transmit information, and then use that information for malicious use, or remotely affect the operation of the devices

IoT Recommendations Given by the FBI

The FBI release recommended that individuals and organizations that allow IoT devices to access their networks take the following precautions:

  • Disable the use of the UPnP on all networks
  • Only purchase IoT devices from reliable manufacturers
  • Use IoT devices only on isolated networks, disconnected from networks connecting to sensitive information
  • Change default passwords that are installed by the manufacturer on IoT devices
  • Update IoT device passwords regularly
  • Consider whether an IoT device is ideal for its intended purpose or consider using a device that does not connect to the Internet
  • Inform patients of the data security vulnerabilities presented by the use of certain medical devices that connect to the Internet