By Charles Miller
A growing number of people are buying IoT (Internet of Things) devices with little understanding of how they work. Not to pick on those light bulbs that can be turned on, off, or dimmed using your smartphone, but they are a good example. Logically, to do this all that would be necessary is to screw in the light bulb, download the appropriate “app” to your smartphone, then use it to connect your phone to the light bulb(s). It seems that simple, however; there is much more happening behind the scenes.
Because the configuration of most IoT devices happens locally (that is, inside your private home network), many people believe that is where it ends, but this is rarely the case. What is almost always true is that your internet-connected light bulb opens a connection to a remote server, for example in Guangdong, China, to announce, “Hey, I’m a light bulb in San Miguel de Allende, Mexico, does anyone want to connect to me?” Then your smartphone app also opens a connection to that server in Guangdong, China, and asks, “Are there any light bulbs in San Miguel de Allende I can control?” The server in China makes the connection between light bulbs advertising their availability in Mexico and your smartphone app in Mexico seeking nearby light bulbs. Now you can turn on the lights.
The problem with this is that a potentially HUGE security vulnerability has been created. Last week, I explained how natting routers protect you by routinely blocking incoming connections from outside unless you had previously sent outgoing traffic to the same address. In other words, the company in Guangdong, China, has no way to access your private home network and all the computers, phones, and so forth, connected to it unless a connection request comes from inside your house. And your internet-connected light bulb(s) open that door when they create an outgoing connection to the server in China.
Once that outgoing connection is made, it is almost as if your light bulb is saying to the server in China, “C’mon in and look around! There are computers, phones, TVs, security cameras, and a lot of other interesting stuff to hack.” Now, I am absolutely not insinuating that the light bulb manufacturer in China would do anything nefarious, but the connection through your router has been opened, and that connection could be hacked by anyone, not just the light bulb manufacturer. This is why it is not far-fetched by any means to say that your bank account could be hacked through an internet-connected light bulb.
To be sure, if cybercrooks somehow managed to use the connection through your light bulb to steal your life savings from your investments account, the light bulb manufacturer would say, “So sorry,” but I doubt they would offer to compensate for your loss. This is why it is becoming more and more imperative to consider the consequences of willy-nilly plugging IoT devices into your home network. The next column in this series will have a more to add to this, so remember to get your copy of Atención then.
Charles Miller is a freelance computer consultant, a frequent visitor to San Miguel since 1981 and now practically a full-time resident. He may be contacted at 415 101 8528 or email FAQ8@SMAguru.com.
