The efficiencies and conveniences that come with the Internet of Things also can open up a greater potential for cybercrime, according to the FBI.
The bureau’s Internet Crime Complaint Center, or IC3, warns in a notice that IoT-connected devices — those constantly connected to a network and sharing data automatically — can lack security and patching capabilities, and, when linked to larger public networks, expose users to the risk of an attack or theft.
“Criminals can use these opportunities to remotely facilitate attacks on other systems, send malicious and spam e-mails, steal personal information, or interfere with physical safety,” the IC3 notice says. Bad actors can exploit “Universal Plug and Play protocol (UPnP) to gain access to many IoT devices,” and use default passwords to send problematic emails or steal information.
Though the Internet of Things is a fairly new and underdeveloped technology phenomenon, more of these types of devices are hitting the market. By 2020, Cisco estimates 50 billion devices will be take part in this Internet-connected environment. IC3’s examples of these devices range in sophistication, from tools that control and secure your home to medical devices and wearables. Even apps on a smartphone that control entertainment systems count.
And with the flood of devices, the FBI expects to see more cybercriminals engineering their way into consumers’ vulnerable systems and devices. IC3 published a laundry list of horrors of what could go wrong — hacking into closed-circuit security cameras or baby monitors, breaching home medical devices to steal personal information, and attacking businesses’ critical devices.
For instance, the alert states: “Criminals can exploit unsecured wireless connections for automated devices, such as security systems, garage doors, thermostats, and lighting. The exploits allow criminals to obtain administrative privileges on the automated device. Once the criminals have obtained the owner’s privileges, the criminal can access the home or business network and collect personal information or remotely monitor the owner’s habits and network traffic. If the owner did not change the default password or create a strong password, a cyber criminal could easily exploit these devices to open doors, turn off security systems, record audio and video, and gain access to sensitive data.”
IC3 recommends above all that consumers protect themselves by isolating their devices to private, secured networks. But for the most part, the center’s recommendations are general technology and cybersecurity best practices, like updating passwords regularly and installing security updates or patches. The Department of Homeland Security’s U.S. Computer Emergency Readiness Team also issued an alert encouraging consumers to follow IC3’s advice.
Despite the impending IoT boom and the related privacy and security implications, lawmakers and regulators have been puzzled by how to ensure consumer safety without handcuffing businesses looking to thrive in the IoT environment. So far, the Federal Trade Commission has issued broad IoT privacy recommendations, and congressional committees have dabbled in the topic, but there’s been little concrete movement toward regulations or legislation.