The major federal agencies that go to incredible lengths to monitor, detect, and defend against the cyber threats facing our country have all issued major warnings within the past year that multiple leading infrastructure firms are experiencing first-hand the work of “persistent threat actors” abroad. In March 2018, the Department of Homeland Security announced attempts at intrusion into multiple industrial-level energy production companies and facilities (including nuclear power plants) were detected, but had not proven successful. Earlier this month, two government officials told to the Washington Post that in fact some of these attacks were successful, but did not appear to penetrate core networks responsible for operation of the plants, or anything that could affect “public safety”.
Given what is happening on the macro scale, it begs the question: what are the cyber threats facing smart homes and hubs? Sadly, the information in the public domain is quite limited and the first results that pop up on Google are from Kaspersky Labs, makers of a leading anti-virus software that has been accused of participating in state-sponsored cyber espionage by way of the Russian Federation and was recently banned being used on US government computers. While the Kaspersky report is quite detailed, the rest of the first page of results mostly consist of reporting on various facets of the seemingly vast iOT security void we are facing, but nothing comprehensive, or that brings the national security implications into view.
The truth is that the Internet of Things presents virtually countless new possible points of entry for cyber attacks, from connected cars to voice-activated digital assistants, refrigerators, coffee makers and even “smart toys”. Much of this activity is documented and suggests users and vendors be extra careful with the serial numbers attached to various devices, be wary of used devices, as well as default passwords that are widely published on the web. However, the fact that there hasn’t been a major headline of a smart home attack should not suggest that the threat has been neutralized or has subsided. In fact, one of the key signs of a sophisticated digital attack is to not immediately reveal the presence of the attacker, since in the end the breach can ultimately act as an observer, a mole, a source.
At this point, it seems unclear who the authority on the topic is, which sounds both concerning and like an opportunity. The threats are largely invisible and gaining. If internet-connected devices are part of you or your company’s present and future, I highly recommend making consistent efforts to ensure that you nor your customers are not unknowingly opening the doors for unwelcome visitors. Similarly, if you are on the custom install, information security circuit, I’d encourage you to get out there and make some new clients! While we may not be tasked with protecting the nation’s critical infrastructure, we are responsible for making sure this still budding industry has the protection it needs to continue to grow, and that we’ve done everything we can to make sure consumers literally don’t get locked out and left in the cold.