Why’s everyone “trippin’” about IoT devices?

 - 
06/19/2019

According to urbandictionary.com, the somewhat “official” definition of “trippin’” means “when someone is overreacting or getting all ‘bent out of shape’ over something small.” And while most of the more popular IoT devices present themselves as a small physical footprint — for example, Google Home is only 3.79 inches in diameter, 5.62 inches in height and only 1.05 lbs. while on the other side of the ring, fighting for market share is the Amazon Echo Plus Voice Controller, 2nd Generation, standing at 5.8 inches tall, 3.9 inches in diameter and weighing in at 27.5 ounces — they can pack a huge, unsettling punch when it comes to security. 

Having taken an interest in IoT devices in terms of security, I’ve written previously about what connected smart home IoT devices are REALLY doing as well as covered IoT devices from the perspective of trust, in which California is the first state to pass a bill, Senate Bill No. 327, that will require IoT manufactures to equip devices with “reasonable” security features, effective in the year 2020. Maybe government control of IoT devices is a step in the right direction, maybe not, but the fact remains that, according to a report from Zscaler, over 90 percent of data transactions from 270 different IoT devices developed by 153 device manufacturers, including smart watches, digital home assistants, medical devices, smart glasses, industry control devices and more are UNencrytped! This exposes these devices to hackers intercepting traffic and stealing or manipulating data, known as man-in-the-middle (MitM) attacks. 

Let’s take a moment to explore a real-life MitM attack and how these attacks can rob people just like you and me of our security. 

Meet Paul and Ann Lupton from England: happy, proud grandparents of baby Oliver, who had purchased a flat (aka apartment) in south London for Oliver’s mother and their daughter, Tracey. After the birth of Oliver, Tracey moved to a bigger home, so the Luptons decided to sell the flat for approximately $429,200 … quite a nice chunk of change and apparently some “others” thought so too.

Perry Hay & Co. in Surrey emailed Mr. Lupton requesting his bank account details for the money from the sale to be paid into, and he replied, sending his Barclays bank account number and sort code (a six-digit number that identifies the bank, in this case Barclays, and the branch where the account is held). A seemingly innocent action that led to his email getting intercepted by fraudsters who posed as Mr. Lupton quickly emailing Perry Hay & Co. again from Mr. Lupton’s email account instructing the company to disregard the previous banking information and send the money to a different account.

The sale completed and Mr. Lupton, none the wiser, sent the funds to the criminals’ account totaling almost half a million U.S. dollars! 

Mr. Lupton responded by contacting Perry Hay & Co. and the crime was (very fortunately) discovered, and it was fairly easy since Barclays was the account provider for all three involved —the Luptons, Perry Hay & Co. and the fraudsters (hmmm, maybe not too smart on their part?!). The Luptons ended up retrieving about $342,000 of their money. 

While the Lupton’s situation didn’t involve IoT, per se, and it did have a rather happy ending since they got some of their money returned, it demonstrates what could happen if a hacker taps into one of your IoT devices, your smart home speaker, for example, and listens while you discuss private issues — account numbers, addresses to schools your children attend, when you’re going on vacation so your home can be burglarized and the like — with your household.

By no means am I an IoT “hater,” (as Urban Dictionary so eloquently puts it). I understand the useful and positive impacts these devices can have on the everyday; however, I do believe security should be the top priority when introducing an IoT device into your life. 

Maybe more manufacturers should be "trippin’" and then “encrytpin’” their IoT devices’ data!

Topic: