Will IoT be the Malware Distribution Network?

The architecture used by most IoT device manufacturers will leave homes vulnerable to attack.

The Internet of Things promises (threatens?) to bring all kinds of wonderful life-enhancing technology to homes and workplaces, but also presents a massive opportunity for compromising networks of computers everywhere.

From its start with smart thermostats and remotely accessible security cameras, to more recent offerings of intelligent doors, windows, and baby monitors, the IoT distributes intelligence and control to all kinds of household devices, not to mention factory and automation equipment. However, in the process of making it easy to use these smart devices (easy to use is mandatory if you want ubiquitous adoption), the designers of these products have typically implemented a communications architecture that is just begging to be pwned.

The root cause of the vulnerabilities that are (and will be) present everywhere can be traced to the use of IPv4, the version of the Internet Protocol that is most widely used. IPv4 uses a 32-bit address, which means the theoretical limit of the number of Internet addresses is about 4 billion. Which isn’t enough for all of the computers, phones, machines, and smart devices in the world. The work-around for this limitation is usually Network Address Translation, or NAT, which allows devices to connect to the Internet without being assigned a directly addressable Internet address. However, this makes remote connections to NAT-ed devices difficult, to say the least.

What most manufacturers have done to work around the obstacles presented by NAT is to set up a server in the cloud that acts as a middle man for the IoT devices and users’ laptops and smart phones. The IoT devices and smart phones both connect to the server, which passes information in both directions. That may sound innocuous, but it creates opportunities for the ethically challenged/technologically advanced to hack those devices and your computers, and for device manufacturers to turn your home into a revenue stream.

When an IoT device is connected to your home network, it can see everything on your network — computers, wi-fi connected phones, media players, security cameras, etc. So any person or server that can access the IoT device can also access your home network, as if they plugged a laptop into your network. That device opens up your network to two major vulnerabilities: anyone who can hack into the server can also connect to your home network, and anyone who has figured out how to connect to the IoT device can also connect to your home network. Most products designed to connect to home networks are not very secure; even the routers that allegedly include firewalls have security flaws that are exposed almost weekly, and devices that simply connect to the network are often not designed with security in mind.

Now some people will say “who cares if my thermostat gets hacked?”, because for the typical hacker, even that won’t be much fun (and probably won’t generate any income). Thermostats and baby monitors won’t be the target, though, your computers and phones will be. Access to the network means access to computers on the network if those computers are not adequately protected (and most won’t be). That access means hackers will be able to install malware, which could be used to spy on your computer (steal passwords, account numbers, that sort of thing), or just become part of their botnet.

A better solution than using a third party middle man server for allowing remote access to home networks is for manufacturers to implement peer-to-peer communications protocols, so your phone can connect directly to your security camera. This isn’t impossible technology, as it is used for free VoIP services, video chats, and other communication services between two end points. However, it’s not being widely utilized by IoT vendors, because they want to use the IoT device as an entry into your home, where they can sell you additional services, or sell your personal data to other companies.

Most recently introduced home security cameras don’t allow you to directly access your camera; the camera must stream video to the vendor’s server, where you can then stream it down to your computer or phone. They then offer additional services, like storage, which you could provide yourself at a much lower cost, if they allowed you direct access to the camera. So not only do you lose control of the camera, you give up control of your home network, and every device connected to it.

Most IoT vendors are unlikely to change their communications architecture, unless consumers refuse to buy their products. As most consumers are blissfully unaware of the threats their networks face, this kind of change is just as unlikely to happen, at least not until high profile hacks are discovered. Manufacturers can do everyone a great service, though, by implementing the more secure encrypted, peer-to-peer access method.