Networked cameras watch your children sleep. Remote sensors monitor your movement. Tiny microphones listen to your personal, intimate conversations. In the near future almost every home will be a smart home, presenting new opportunities, markets, and benefits for companies and consumers. But according to cybersecurity experts, the connected home is also an easily weaponized home.

The Internet of Things–networked gadgets that gather data and provide useful feedback, such as baby monitors, refrigerators, fitness trackers, and personal assistants like Amazon’s Echo–is a rapidly growing market. The Industrial Internet of Things (IIoT) alone is expected to $151 billion by 2020 and could be eclipsed by the Personal Internet of Things (PIoT), said Carson Sweet, CTO and cofounder of security firm CloudPassage.

“Thanks to cloud tech, all your personal devices are more connected than ever,” Sweet explained. “Your mobile phone syncs with your personal computers and tablets; your home automation systems integrate with your mobile phone; your automobile has a web portal and a phone app… It’s IoT at the personal level, and it generates enormous amounts of information about where you go, what you buy, who you associate with. And this information has never been more integrated, correlated, and accessible than ever before. And most people don’t even know what data is being collected, generated, or synthesized about them.”

SEE: Internet of Things policy (Tech Pro Research)

Home automation and personal IoT devices provide tremendous benefit to consumers and companies but also “present a tiny but significant mini-enterprise to attackers,” Sweet said, because home devices will never be as well maintained as corporate devices.

“We’re not doing a killer job at [protecting corporate devices] to begin with… personal devices are very vulnerable simply based on the discovery of vulnerabilities in software coupled with poor maintenance. [For example], do you know what your Kindle’s patch level is? Your refrigerator? Your smart TV? Your thermostat?”

Sweet is concerned that IoT devices are particularly vulnerable to being compromised and “drafted into a zombie army, meaning they become part of a massive [botnet] attack network like the one dubbed Mirai that recently took down multiple internet sites in a huge, sustained distributed denial of service attack.”

Vulnerable personal devices are not new, Sweet said, but in 2017 expect to see gigabit home internet driving many new attacks. “Already available to 50 million consumers, gigabit connectivity as a hot attacker focus will truly explode if vulnerabilities in popular home devices can be exploited mechanically,” he said. “Keep in mind that the massive DDoS attacks that we saw from the Mirai botnet were based on seeking and exploiting vulnerabilities in long-forgotten devices [such as] IP cameras and recorders.”

SEE: “Internet of Things” poses consumer risks (CBS News)

The home and IoT devices become weaponized, Sweet said, when a threat actor like a hacker delivers an exploit to a popular personal device, then writes code to iterate and spread the malware rapidly. “The development of ‘point-and-shoot’ exploit tools is the essence of weaponization of vulnerabilities. The recent version of the Mirai botnet, for example, weaponizes severe vulnerabilities in IP cameras and DVRs by using worm behavior. An infected device immediately starts seeking other devices to affect. This chain reaction creates force multiplication that converts a seemingly simple vulnerability into something that can be used for a variety of highly impactful, nefarious purposes.”

Large-scale personal IoT exploits can also be used to “whale phish,” or target wealthy and powerful individuals without the target’s knowledge. Home IoT devices are a significant threat because “the amount and sensitivity of data offered by by personal IoT devices is far greater than what can be gleaned from social media.” This data can be used to exploit or blackmail CEOs, corporate decision-makers, politicians, and other public officials, Sweet said.

There is no one-fix quick solution, Sweet said. But he advised that device makers can improve security by settling on software and firmware standards and implementing patch protocols that quickly fix bugs. Encrypting data can also help mitigate risk. But as access to the private information of citizens and corporations becomes easier for hackers, law enforcement, and intelligence agencies, Sweet warned data insecurity trends will continue. “I would expect to see… attempts at policies that compel commercial technology providers to give up data without disclosure of requests or releases. I would also expect to see more aggressive attempts by U.S. agencies to gain access to foreign nationals’ data resident in the systems of U.S. based technology providers.”

Read more