Internet-connected gadgets vulnerable because they don’t have enough memory for safety software, use generic code and access web by default

This article is more than 3 years old

This article is more than 3 years old

“Smart” internet-connected devices such as webcams, kettles and baby monitors are “too dumb” to resist the kind of cyber-attack that brought down some of the world’s most popular websites on Friday, experts have warned.

Richard Sims, a product development consultant at the Technology Partnership, said such devices – commonly referred to as the “internet of things” – often connect to the internet by default and use stock code from open-source software, which makes them easier to hack.

Mercedes Bunz, a lecturer at the University of Westminster, said connected devices were not smart enough to have safety software installed, adding: “You can’t install a firewall on a baby monitor because it doesn’t have enough memory.”

Apart from baby monitors, which can send an alert to parents’ mobile phones when their babies stir, connected devices also include smart TVs or home lighting systems that can be activated via a mobile phone.

By contrast, devices made for more specialist applications were designed with security in mind and segregated from the public internet, making them far more difficult to exploit, added Sims, who has worked on a range of industrial IoT projects.

Twitter, Paypal and Spotify were among the sites made inaccessible on Friday after hundreds of thousands of connected devices were exploited to overwhelm the US-based web infrastructure company Dyn with traffic from millions of internet addresses.

Attacks using connected devices are not new. In 2014, a fridge, home routers and smart TVs were among 100,000 devices hacked to launch a spam email campaign.

But assaults are getting more sophisticated. Sims said the hackers behind the Dyn attack presumably scanned the internet for vulnerable devices, and called on manufacturers to pay more attention to security at the design stage.

“If you’re a product development company releasing these products on to the consumer market, it’s unrealistic to expect the consumer to have the knowledge of how to secure these devices, so this has to be considered from the start,” he said.

Bunz agreed that the general public does not understand how vulnerable connected devices are.

“The problem is that people don’t change their passwords,” Bunz said. “They just keep their default passwords and they are so easily hackable and they are very easily turned around into a little bot, because that doesn’t need a lot of memory.”



Bunz said the economic demands of bringing small connected gadgets to market meant security, an added expense, was often overlooked, providing hackers with an increasing wealth of potentially exploitable devices.



She said they were becoming the target of choice because manufacturers were making personal computers increasingly more difficult to hack. Bunz added: “What we really need is a step up by the corporations to care more about security.”

Both experts said it might be unrealistic to expect designers to include traditional means of online protection, such as antivirus and firewall software, into everyday household gadgets.

“We will receive [software] patches for sure,” Bunz said. “The problem is that you can’t install an antivirus system because they are too dumb. It’s not like a personal computer where you can install a firewall.”

Sims, meanwhile, suggested manufacturers were needlessly over-equipping their connected products. “Why would you want your baby monitor to be contactable from outside your home at all? Maybe there are ways to mitigate some of this stuff by being a little bit more intelligent about how you open things up to the broader internet.”