Once upon a time, people distinguished between cyberspace, the digital world of computers and hackers, and the flesh-and-blood reality known as meatspace. Anyone overwhelmed by the hackable perils of cyberspace could unplug and retreat to the reliable, analog world of physical objects.
But today, cheap, WiFi-connected computers have invaded our physical world. They’re now embedded in everything from our homes and toys to our cars to our bodies. And this year has made clearer than ever before that this Internet of Things introduces all the vulnerabilities of the digital world into our real world.
The new USA Network show Mr. Robot clearly demonstrates this vulnerability in Season 2 Episode 1 where a homeowner has her smart home completely hacked, rendering it uninhabitable.
The BBC recently ran an experiment to test the security of IoT devices installed in a smart home.
The BBC's experiment brought together seven computer security experts who have been looking into so-called smart gadgets to find out how many they could subvert.
And how many could they crack the security on?
All of them.
"With most of them, if you can connect to it you can own it," said James Lyne, head of security research at Sophos.
In common geek speak, to Pwn something is to own it, which means to compromise or control, specifically another computer, appliance, web site, gateway device, or application. It is synonymous with the definitions of hacking or cracking.
The BBC set up a house filled with a variety of smart gadgets and asked researchers to demonstrate how easy it was to crack the security systems on them.
Liam Hagan, a researcher from security firm Nettitude, said he was "shocked" at the poor job baby monitors and WiFi cameras did to protect the pictures and sounds they were gathering.
"One of the big issues is that one WiFi video camera makes itself available to the internet regardless of your firewall," he said. "Anyone who knows your IP address would be greeted with the login screen for the camera."
With one camera he tested, entering a default login name and password granted access to the images and sounds the device was capturing. There was no prompt to change these credentials to protect privacy, he said.
Statistics gathered via the Shodan search engine, which catalogs devices and industrial equipment attached to the net, suggests there are more than 120,000 of just this one poorly protected gadget online already.
It was hard to know how many were giving strangers a look into homes up and down the country, he said, as there was no legal and ethical way to probe them.
The vulnerabilities in the device emerge from the very basic web server software it uses to post images online. That insecure software is currently being used by more than five million gadgets that are also already online.
More worryingly, he said, one WiFi camera he tested had what is known as a "cross site scripting" vulnerability that lets an attacker inject their own code on to the device. This, said Mr Hagan, could be used to turn the video camera into a sniffer that could look for what else was on the network and let an attacker "pivot" to other more interesting systems such as PCs, smartphones and tablets.
Researchers from NCC Group managed to take control of several different devices including smart plugs that can be controlled via WiFi, a wireless music system and a Blu-ray player.
Felix Ingram, from NCC Group, said vulnerabilities in a widely used networking system called UPnP helped his team take control of these devices.
UPnP was known to be vulnerable and kits already exist, one of which was written by an NCC Group researcher, that look for devices that use the networking protocol and try different vulnerabilities against them.
Many of the devices used UPnP to reach servers out on the wider net potentially exposing them to attackers. Built-in passwords that could not be changed made these ripe for exploitation, he said.
Enter the FIREFX Network Guardian, a military grade security appliance with one purpose... Protection! The FIREFX Network Guardian will help you grow your monthly recurring revenue while protecting the business and home networks you are responsible for. Contact FIREFX today to discuss this new product line!