Internet of Things is a term we are all hearing – but very few people know what it means, or know what the dangerous impacts it brings with it regarding security.
Something major happened in 2017. Internet of Things (IoT) devices were exploited by cybercriminals and turned into a rogue and malevolent army. A series of distributed denial of service (DDoS) attacks affected websites connected to the cloud-based internet performance management company Dyn, including Amazon, Twitter, Reddit, Spotify and PayPal. It’s was possibly a watershed moment.
Here are 10 things you need to know about IoT.
1. Wait, what’s IoT?
Definitions vary, but the ‘Internet of Things’ refers to ‘smart devices’ like refrigerators that will tell us when we’re out of milk. But also, many smaller less outlandishly smart objects, such thermostats, coffee machines and cars. These gadgets are embedded with electronics, software, sensors and network connectivity so that they can connect to the internet.
2. So, what’s the problem?
Anything that connects to the internet, even if it doesn’t contain your medical records, poses a risk. The October 2017 attacks were made possible by the large number of unsecured internet-connected digital devices, such as home routers and surveillance cameras.
The attackers infected thousands of them with malicious code to form a botnet. Now, this is not a sophisticated means of attack, but there is strength in numbers. They can be used to swamp targeted servers, especially if they march in all at once.
3. How did the attacks actually happen?
Remember that bit in the instruction manual where it told you to change the default password? Well, if you didn’t, then chances are your IoT device could spring to life as a cyber zombie. The DDoS-attackers know the default passwords for many IoT devices and used them to get in. It’s a bit like leaving your house keys under a flowerpot for anyone to find.
Anyone putting an IoT router, camera, TV or even refrigerator online without first changing the default password is enabling attacks of this type. ESET research suggests at least 15% of home routers are unsecured – that’s an estimated 105 million potentially rogue routers.
4. Wait, do I need IoT devices?
Some people dismiss IoT devices as gimmicky; others believe that in a few years we’ll all have smart cupboards that tell us what we can have for dinner. But there are numerous discernible benefits, such as the sensors in smartphones and smartwatches that provide real information about our health. Or the “blackbox” telematics in cars which can prove how safe or unsafe our driving is and thus help with insurance claims.
5. So, this is a new problem?
Nope. The possibility for exploitation of this kind has been common knowledge since, well, the dawn of IoTs. But, we didn’t realize quite how vulnerable we were until last year’s attack. Malicious code infecting routers is nothing new, as this ESET research clearly demonstrates.
The advice to change the default passwords on these devices is not new and has been reiterated many times. Yet you can lead a horse to water, but there’s no making them drink. Years ago WeLiveSecurity reported on the existence of 73,000 security cameras with default passwords.
6. How far does it go back?
The IoT actually goes way back as far as the 1980s. But in a slightly Back to the Future iteration. Researchers at Carnegie Mellon University first came up with an internet-connected Coke vending machine in 1982.
7. Surely, internet giants have the power to stop this?
Sure, they do. But that doesn’t mean some of them haven’t left gaping holes available for malicious exploitation. At the Black Hat security conference last year, security research students from University of Central Florida demonstrated how they could compromise Google’s Nest thermostat within 15 seconds.
Daniel Buentello, one of the team members, was quoted as saying in 2014: “This is a computer that the user can’t put an antivirus on. Worse yet, there’s a secret backdoor that a bad person could use and stay there forever. It’s a literal fly on the wall.”
8. What can I personally do to stop this?
Look at IoT devices like any other computer. Immediately change the default password and check regularly for security patches, and always use the HTTPS interface when possible. When you’re not using the device, turn it off. If the device has other connection protocols that are not in use, disable them.
These things might sound simple, but you’d be alarmed by how easy it is to opt for convenience over good sense. Only half of respondents to this ESET survey indicated that they’d changed their router passwords.
9. What can companies do to stop this?
You might think, ‘What’s the point? If an attacker can breach Amazon, then what hope does my firm have?’ Well, don’t give up hope. Organizations can defend against DDoS attacks in a range of ways including boosting the infrastructure of their networks and ensuring complete visibility of the traffic entering or exiting their networks. This can help detect DDoS attacks, while ensuring they’ve sufficient DDoS mitigation capacity and capabilities. Finally, have in place a DDoS defense plan, which is kept updated and is rehearsed on a regular basis.
Think of it like a fire drill for your network. Also, watch out for Telnet servers. These are the dinosaurs of the digital universe and as such should be extinct, because they’re so easily exploited. Never connect one to a public-facing device.
10. But … and this is a big but …
The tech might have been around for a while but these kinds of attacks are brand new. As such there are no agreed best practice protection methods for stopping an IoT from turning against you.
At least, not ones that the experts can agree on. Some believe you should apply a firewall in your home or business and to regulate control of them to authorized users. However, another method would be to apply a certification approach: allowing only users with the right security certificate to control the devices and automatically barring any unauthorized profiles. If in doubt, unplug it.
Low-cost wireless sport earphones get a kickstart
Wireless earphone brands are common, but not crowdfunded brands. BRYAN TURNER takes the K Sport Wireless for a run.
As wireless technology becomes better, Bluetooth earphones have become popular in the consumer market. KuaiFit aspires to make them even more accessible to more people through a cheaper, quality product, by selling the K Sport Wireless Earphones directly from its Kickstarter page
KuaiFit has an app by the same name which offers voice-guided personal training services in almost every type of exercise, from cardio to weight-lifting. A vast range of connectivity to third-party sensors is available, like heart rate sensors and GPS devices, which work well with guided coaching.
The app starts off with selecting a fitness level: beginner, intermediate and advanced. Thereafter, one has the ability to connect with real personal trainers via a subscription to its paid service. The subscription comes free for 6 months with the earphones, and R30 per month thereafter.
The box includes a manual, a USB to two USB Type B connectors, different sized soft plastic eartips and the two earphone units. Each earphone is wireless and connects to the other independently of wires. This puts the K Sport Wireless in the realm of the Apple Earpods in terms of connection style.
The earphones are just over 2cm wide and 2cm high. The set is black with a light blue KuaiFit logo on the earphone’s button.
The button functions as an on/off switch when long-pressed and a play/pause button when quick-pressed. The dual-button set-up is convenient in everyday use, allowing for playback control depending on which hand is free. Two connectivity modes are available, single earphone mode or dual earphone mode. The dual earphone mode intelligently connects the second earphone and syncs stereo audio a few seconds after powering on.
In terms of connectivity, the earphones are Bluetooth 4.1 with a massive 10-meter range, provided there are no obstacles between the device and the earphones. While it’s not Bluetooth 5, it still falls into the Bluetooth Low Energy connection category, meaning that the smartphone’s battery won’t be drastically affected by a consistent connection to the earphones. The batteries within the earphones aren’t specifically listed but last anywhere between 3 and 6 hours, depending on the mode.
Audio quality is surprisingly good for earphones at this price point. The headset style is restricted to in-ear due to its small design and probable usage in movement-intensive activities. As a result, one has to be very careful how one puts these earphones, in because bass has the potential of getting reduced from an incorrect in-ear placement. In-ear earphones are usually notorious for ear discomfort and suction pain after extended usage. These earphones are one of the very few in this price range that are comfortable and don’t cause discomfort. The good quality of the soft plastic ear tip is definitely a factor in the high level of comfort of the in-ear earphone experience.
Overall, the K Sport Wireless earphones are great considering the sound quality and the low price: US$30 on Kickstarter.
Find them on Kickstarter here.
Taxify enters Google Maps
A recent update to Taxify now uses Google Maps which allows users to identify their drivers, find public transport and search for billing options.
People planning their travel routes using Google Maps will now see a Taxify icon in the app, in addition to the familiar car, public transport, walking and billing options.
Taxify started operating in South Africa in 2016 and as of October 2018 operates in seven South African cities – Johannesburg, Ekurhuleni, Tshwane, Cape Town, Durban, Port Elizabeth and Polokwane.
Once riders have searched for their destination and asked the app for directions, Google Maps shares the proximity of cars on the Taxify platform, as well as an estimated fare for the trip.
If users see that taking the Taxify option is their best bet, they can simply tap on the ‘Open app’ icon, to complete the process of booking the ride. Customers without the app on their device will be prompted to install Taxify first.
This integration makes it possible for users to evaluate which of the private, public or e-hailing modes of transport are most time-efficient and cost-effective.
“This integration with Google Maps makes it so much easier for users to choose the best way to move around their city,” says Gareth Taylor, Taxify’s country manager for South Africa. “They’ll have quick comparisons between estimated arrival times for the different modes of transport, as well as fares they can expect to pay, which will help save both time and money,” he added.
Taxify rides in Google Maps are rolling out globally today and will be available in more than 15 countries, with South Africa being one of the first countries to benefit from this convenient service.