NEW YORK (MainStreet) Home security systems. Fancy high-tech toilets. Baby monitors. What they have in common is this: all are networked devices and all have been hacked.
In Houston, a hacker took control of a Foscam baby monitor and apparently yelled at the two year-old, "Wake up, you little slut," or so reported the startled parents.
In Japan the Satis toilet, which can be controlled by a smartphone app, has been shown to be hackable, meaning attackers can flush it, raise the seat, and in other ways drive a rightful user nuts.
In England, researchers at security firm Trustwave found it simple to take control of networked home security systems and either turn them off or - perhaps more creepily - use the systems to spy upon a home's occupants.
The list could go on. "The Internet of Things is very vulnerable," said Michael Fiske, CEO of San Francisco cybersecurity firm Biogy. He ominously added: "You can hack pretty much anything that is connected to the Internet."
As long ago as 2001, an Australian man, angry because his job application was rejected, hacked into and caused a local sewage system to dispel millions of liters of raw sewage into parks, rivers, even a luxury hotel. At the time, an official with the Australian Environmental Protection Agency said: "Marine life died, the creek water turned black and the stench was unbearable."
Awful as that incident seems, the potential disasters are much more menacing today, mainly because so many devices now are on the Internet. "There are billions of connected devices, billions of vulnerabilities," said Alan Grau, CEO at security company Icon Labs.
It's personal appliances such as baby cams and coffee makers. But sometimes it is much bigger stuff.
Hackers have already demonstrated proof of possible hacks into smart electrical grids, for instance, that let them put stretches of the grid into darkness. That could mean your apartment building is plunged into a malicious darkness even as neighbors have lights.
Other hackers have shown that today's automobiles - in many ways really computer peripherals - can be controlled externally, meaning the cars can be ordered to stop, to speed up, to turn, to do just about anything a hacker wants them to do.
Highly skilled hackers have shown they can even trick air traffic control systems into believing a fictional flight is real. And that could cause chaos at airports around the country.
How can this be so easy? Dwayne Melancon, CTO at IT security firm Tripwire, pointed to two factors where the first is that, in almost every case, the networked devices were never designed with security in mind. Design aesthetics, costs, ease of use - all rate high in creating refrigerators, baby webcams, toilets, etc. But just about nobody is keen to dwell on the need for security, especially not if it adds costs or layers of user inconvenience.
The other factor: there are more and more online bazaars where hackers swap vulnerability reports, hack strategies and more, said Melancon. He suggested that, with many devices, it is fairly easy to get the how-to of a hack via a little Internet searching.
Part of the reason for that is connected device security is woeful. "Many devices share the same password," said Grau. There is evidence for instance that tens of thousands of medical devices share the same default password, which rarely is changed by either physicians or patients. That allows for convenient access of course - but the access could be exploited by bad actors just as easily.
Another fact: it is just is not straightforward to patch vulnerabilities in devices such as coffee makers and pacemakers, said Jonathan Weber, founder of Marathon Studios. Technologists have a generation of experience patching PCs and, still, that's a crazyquilt of patched and unpatched vulnerabilities. With the Internet of Things, in many instances, how the device owner would seek out and apply patches is uncharted territory. So an upshot is that even when patches are available, they frequently aren't put to use. Added Weber: "Nobody's going to download and install a firmware patch for their Internet-enabled toaster."
If there is light at tunnel's end, it's that when things get really bad, there will begin to be progress in cleaning up the insecure mess that is the Internet of Things. Predicted Patrick Sweeney, a security expert and author of RFID for Dummies: "In the next year you will see two or three high profile hacks. That will be a catalyst that brings about real security."
"When there's a big catastrophe - or maybe a big lawsuit - then device security will get serious," agreed Melancon. Until then, he shrugged, manufacturers will ignore device security because people aren't asking for it.
--Written by Robert McGarvey for MainStreet