Opinion: the growth in connected devices in our homes is causing increasing safety and security concerns

By Gilbert ReganDundalk Institute of Technology

We live in an increasingly interconnected world. It is reported that the number of connected devices will increase by 12% per year, from 27 billion in 2017 to 125 billion in 2030. In our smart homes, it is not just our computers and mobile phones which connect to the internet. Fridges, ovens, cameras, speakers, thermostats and lights can be connected so they can act upon your command and/or send you information. Even if connected devices don't interoperate, they can be on the same network and so affect each other.

The range of smart devices continues to grow. An American company has developed a smart salt dispenser with a Bluetooth speaker and mood light. This dispenser is also compatible with Amazon Alexa and even allows you to dispense salt using a smartphone.

But this growth in device connectedness is causing increasing safety and security concerns because these devices are generally not well protected. It is the connecting of these devices that makes them so vulnerable. For example, a hacker could possibly gain access to your smartphone through your smart salt dispenser because they are connected. Anything connected to the internet can be hacked, and, as everything is getting connected, this means that everything can be hacked.

From RTÉ Radio 1's News At One, RTÉ's Will Goodbody reports on the 2017 WannaCry ransomware attack

There are numerous examples of hackers downing networks, crippling infrastructure and even putting human lives at risk, including the Mirai Botnet and WannaCry attacks. In 2016, the Mirai malware caused infected computers to continually search the internet for vulnerable devices and then use known default usernames and passwords to log in and infect those devices with malware.

The WannaCry attack in 2017 encrypted computer data making it impossible for users to access that data and then demanded ransom payments in order to decrypt the data. The attack was estimated to have affected more than 200,000 computers across 150 countries, with total damages ranging from hundreds of millions to billions of dollars. The NHS in England and Scotland may have had up to 70,000 devices infected, including computers, MRI scanners and theatre equipment.

There are a couple of technical reasons why connected devices are generally not well protected. Connecting devices increases the number of different points where an unauthorised user can try to enter data or to extract data from a network. This increased attack surface increases the likelihood of a vulnerability being exploited. Another reason is that manufacturers don’t always know in what configuration or in what environment their device will be applied. This makes it difficult for development to ensure safety and security when their devices are connected to devices from different manufacturers.

An insecure internet can be in the interests of both governments and large corporations

There are also business-related reasons for insecure connected devices. First, there is the quality, cost and time to market triangle. The growth in connected devices comes from manufacturers wanting to achieve a competitive edge. Achieving a competitive edge in a fast moving market usually means attaining the goals of being "early to market" and "reasonable cost". This means that quality around safety and security is not always to the fore when developing internet enabled devices.

A more sinister reason for the insecurity of connected devices is that an insecure internet can be in the interests of both governments and large corporations. Corporations such as Facebook and Amazon offer secure platforms as long as it is not secure from them. They collect and store your personal data, and then infer your likes, dislikes, interests and so on, in order to direct personalised adverts. This surveillance data underpins the business model of the internet.

In December 2018, an investigation by the New York Times showed that Facebook shared access to users' data with other tech firms, including Amazon, Apple, Microsoft, Netflix, Spotify and Yandex. Examples given included allowing other companies to read users' private messages and to see the names, contact details and activities of their friends.  Damian Collins MP, chair of the UK Parliament's Digital, Culture, Media and Sport Committee, told that BBC that Facebook "do reward companies with access to data that others are denied, if they place a high value on the business they do together. This is just another form of selling"

From RTÉ Radio 1's News At One, Irish Independent Technology Editor, Adrian Weckler on the New York Times' claims that Facebook gave companies greater access to users' personal details than previously disclosed

Similarly, it can be in government interests (think national security agencies) to have the ability to break into "securely" connected devices. They can use spyware to spy on journalists, political activists and opponents among others, mainly for reasons of social and political control. In extreme cases, governments such as China use social media platforms to spy on its entire population. Perhaps more worryingly, governments have been accused of cyberwarfare. In 2018 the US and Uk governments claimed that the Russian government was exploiting network infrastructure devices, such as routers, to lay the groundwork for future attacks on critical infrastructure such as power stations and energy grids.

The danger of interconnected devices is recognised by the European Union who fund research projects aimed at finding solutions to the technical problems, including Dependability Engineering Innovation for Cyber Physical Systems. Involving Dundalk Institute of Technology and Lero, it aims to develop a solution for improving the safety and security of systems or devices connected over the internet.

Dr Gilbert Regan is a postdoctoral researcher at the Regulated Software Research Centre at Dundalk Institute of Technology and at Lero, the Irish software research centre

The views expressed here are those of the author and do not represent or reflect the views of RTÉ