>> HIT THE PANIC BUTTON ON IoT SECURITY - EVERY YEAR?

Sometimes it is not good to be too far ahead of your fellow engineers in your field of expertise.

While monitoring my social media feeds; I noticed a splurge of posts where security experts are now trying to wake people up with the concept of IoT security and when gadgets attack. It dawned on me; why is it becoming such a mainstream topic now and not two or three years ago when some of us were pushing the concept out there? In addition; are the new threats really as bad as they suggest? Well - the answer is not that simple, basically.. it depends.

I knew I had a feeling i covered this before, more specifically my blog post in 2014.

So; what exactly is the risk we are talking about here? To be honest; a simple IoT device will have a dedicated task - designed to do exactly one thing and just that. Such is the case of projects being made to monitor the weather at your home, or send you an alert when some environmental conditional (from a sensor) is tripped. What exactly could a hacker do with such an IoT device?

It really depends on what underlying platform was chosen for the device.

I covered this in one of my security presentations I held while working at Evothings and attending conferences in 2014 and 2015. A big question about security comes down to if your device is actually needs to be secured or not. What's the point of putting TLS encryption for a weather monitor at my house? Zip. The real question comes down to if a hacker can actually re-purpose an IoT device for their own purposes, like spying or running malware.

When building an IoT product, you are given two options depending on the type of hardware you use - either you build a barebones sketch or you tie into an existing operating system and run your sketches within it. In all honesty; hacking a barebones device is effectively impossible; unless you expose a backdoor in the firmware (unlikely) or you hook up via USB to flash a new firmware on it.

Now; if the IoT product designer decided to simply slap on a stock standard operating system such as the likes of Raspbian or a derivative of Linux, yet not remove any services that are unncessary for operating the device for its intended purpose - then, there is a potential problem. This is where a true threat arises in the world of IoT - repurposing your IoT device for performing other tasks.

Your new baby monitoring camera is designed to provide you live footage of your baby as they sleep - but what if it was secretly doing something else with the 80% CPU resources that are currently not being utilized because it is either over powered or doesn't need to be streaming data to your mobile device at 25fps and sits idle? A good hacker wouldn't break its function.

Let's assume that someone forgot to remove sshd or a similar service from the device - a 0day exploit comes out or, god help us if they didn't change the default passwords; and the hacker has root access. They can now upload new applications and write scripts on your hardware.

All of a sudden, millions of baby monitoring cameras are now part of a massive botnet designed for performing DDoS (distributed denial of service) attacks all from the comfort of your own home - while you are none the wiser. Heck; the monitoring device still does what you purchased it for.

In reality; you simply need to have faith in the companies you buy your IoT products from - or, setup a suite of hacker tools to see if what you just purchased is vulnerable or not. The chances are - they are crying wolf over something that isn't even needed.

It will however, be a long time before we see any form of standards on this - as many say, it should have been defined from day one. What is needed is a set of guidelines that product manufacturers can abide to in the form of a checklist to make their products hacker proof - number one on the list being change default passwords and disable anything unecessary. It looks liek some are trying to form a standard, like SOFA - but that wont solve underlying problems.

As for those who turn off heating or other critical systems - they are no hackers, they are scum.