The truly smart home is closer than we think. A world where the toaster talks to the kettle, and the refrigerator knows that when you run out of milk it should go ahead and buy some more. A utopia where household appliances work for the homeowner.
Manufacturers have already spied this opportunity. A home littered with smart devices that are in tune with the behaviors and requirements of millions of consumers worldwide can provide access to innumerable quantities of product usage data and market research. This is why the Internet of Things (IoT) is at the top of so many manufacturers’ priority lists.
However, within your brand new smart kettle’s wiring lurks something more sinister – an entry point for cybercriminals to access your home network.
At our recent PCI SSC Community Meeting in Edinburgh, Ken Munro of Pen Test Partners demonstrated this vulnerability by hacking into a smart kettle in less time than it takes to boil one. By hacking into one vulnerable appliance, a criminal now has access to everything in that appliance’s network, including your PC, smart phone or tablet.
Because the kettle gives out the Network SSID and has a default password that is not changeable by the consumer, the criminal is now in your home network. From here they can re-route all outgoing data through themselves - it is a perfect ‘man in the middle’ attack. Whenever you use your PC to log into your bank account, or order anything online, the criminal sees it all. Passwords, card details, the lot.
Just like the home, the threat of IoT is also coming to your business. And the threat is enormous. The sheer amount of payment data that is potentially accessible through weak entry points, like kettles in office kitchens across the world, is simply unthinkable.
To combat this, both manufacturers and businesses have to step up, before the market is flooded with unsecured digital appliances.
For manufacturers, understanding the danger of adding insecure Wifi and Bluetooth features to products that end up on a network is imperative. These features must be configured securely, with well-defined secret passwords that the consumer can then change.
For businesses, shutting the barn door before the horse has bolted is critical. The world’s most effective security standards to make payments safer must be implemented before data is compromised. Cyberattacks result in enormous financial loss and reputational damage to businesses. More and more companies are waking up to the fact that cybersecurity isn’t just a tech issue anymore, it’s now a major business issue.
The PCI Security Standards Council provides the world’s most effective security standards and programs for safe payments, which help organizations prevent, detect and mitigate cyberattacks that can lead to data breaches and fraud.
Jeremy King is International Director of the PCI Security Standards Council
