Is the Internet of Things secure?

Steven Murdoch, Research Fellow in the Information Security Research Group at UCL Computer Science has been interviewed for The Naked Scientists, 'Is the Internet of Things secure?'.

The radio broadcast is available here (available until 3 July 2017); a transcript appears below between Steven and Timothy Revell:

A world is fast approaching where everything around us is connected to the Internet. Your fridge will shop online for more milk and ice-cream when you run low, your phone will tell your oven that you’re behind schedule on the journey home and to turn the dinner down, and the heating will fire up at the right moment so that the house is already warm when you walk through the door. All of these interconnected devices as referred to as “The Internet of Things”. But with convenience comes risk. And Steven Murdoch, from UCL, spoke to Timothy Revell to explain what we need to watch out for…

Steven - What’s happened with The Internet of Things is that, of course, computers have become cheaper than before and smaller. We can now put them in all sorts of interesting household appliances and to get the full power of computers we want to connect them to the Internet so that they can talk to other computers and talk to us. But the people who are making these home appliances are fairly new to the industry of internet connected things and so they make mistakes.

Tim - What sorts of mistakes are they making? Are the very secure or not really?

Steven - In many cases they are not secure. We’ve seen significant problems; a common one is that the come with default passwords and so anyone who knows the default can log into this computer rather than only the owner. Another one is that the vulnerabilities that people do discover never get fixed because the companies don’t have any way of installing software updates on these computers.

Tim - I remember for while people were worried about smart TVs - what’s that all about?

Steven - Smart TVs are just televisions with computers, but they added in things like cameras and microphones and make useful features like voice recognition. But the way voice recognition worked is it would send your voice up to some other computers run by the manufacturer to work out what is actually being said. The manufacturer - Samsung in this case - warn people not to have private conversations in front of the television, which caused people to be aware of these sorts of risks.

Tim - Yeah, so don’t tell any secrets in your lounge. At the moment you’ve got a device in front of you - what actually is that? It looks a bit like a webcam.

Steven - Yeah. This is a webcam but this one is specifically marketed as a baby monitor and the way I’ve set it up is on my own private network. But what’s happened quite frequently is that people accidently set this up so that anyone on the internet can connect to it and leave it with it’s default password which everyone knows. Then just as I can control it from it’s computer, so if I just press this button you can hear it whirring around.

Tim - That’s the webcam just turning around. This would be used if you’ve got a baby upstairs, instead of having one of those old fashioned walkie talkies, you can see what you’re baby’s doing - if they’re upset or the need some attention?

Steven - Yeah. It’s got an infrared camera; it can see in the dark. It’s got a microphone so you can hear what’s being said and it’s also got a speaker so you can talk to the baby.

Tim - That sounds fantastic. So what can go wrong with one of these internet connected versions?

Steven - What turned out is that there were enough of these that were connected to the internet without any reasonable security and people were able to scan for all of these. Some of these were just dull cctv cameras looking at car parks but other ones actually had children in front of them. One parent discovered that the child was afraid of going to bed at night because there were voices and the parent just thought this was a nightmare. But it turned out that there were some people who were hacking into this camera and then saying things to the child overnight. It was only after quite some time that the parent heard this and worked out what was going on.

Tim - That’s absolutely horrifying to find out that you buy this thing to look after your child but actually someone one the internet’s out exploiting it so how can that be avoided? What should someone do who wants this tech but needs to make sure that their child isn’t being spoken to by a strange person on the internet?

Steven - The standard of devices to do something like change the passwords, which is a good idea, but really I think the government needs to take more responsibility. The Royal Society published a report - I was on the steering committee - which said there should be some way for customers to be able to tell the difference between a device that is designed to be secure and will keep itself secure, from everything else out there which is terrible. I think once that has been put in place, and there are some signs that the National Centre for Cybersecurity will do it, then customers will be in a much better situation of being secured, but not having to jump through ridiculous hoops to do so.