Irvine: I have not heard of a specific example where it has happened. [As a hacker], I may not actually use your alarm system or your heating, your AC that I can see sitting on your Wi-Fi network, while I'm sitting out in the front yard, to affect those systems. I may implement a virus that gets on your network and now it affects your network, and I'm able to grab your user IDs and passwords and get your financial information moving forward.
It's just the fact that all of these things are on the Internet and unsecured. They have no antivirus available for them. They have no other means of securing them. They are the weakest link in your network. Hackers can get into them, they can target them with malicious applications to infect your PCs, and now get your financial information and your identity.
CIO: People are excited about the IoT, and there's clearly a lot of promise and potential there. Security concerns aside, what excites you most about IoT?
Irvine: I do really appreciate the idea of having an alarm system that will remotely allow me to check my environments. You hear about people on vacation, they get an alert, they see somebody robbing their house, and they're able to call the police.
That's exciting. That's a real opportunity for individuals to protect themselves. The problem is doing it in an insecure manner.
CIO: How would a hacker gain access to consumer IoT devices? Is the commonly used Wi-Fi security, WPS or WPA, good enough to protect the average user's home wireless network?
Irvine: Most likely [hackers] are going to steal your information the same way they're stealing everything else, with a virus or malicious application that you download from the Internet. Your PC is going to be breached, it's going to gather all your information, send it out in a script to somebody, and now they're going to have all your information. Antivirus solutions only protect you against 30 percent of known viruses and malware.
There's the potential of people sitting outside in the front yard, seeing all of your devices and going from there. WEP is a very insecure wireless security protocol which is still in use. WPA is more secure, but most individuals still leave their wireless network to broadcast, so I can see all the traffic going across it, I know there's a network there, I know the SSID.
CIO: Are there specific types of IoT devices that are more risky than others? Should consumers be more wary of one connected-home gadget than another?
Irvine: They're pretty much all of the same risk type. There are a couple companies out there that are doing connected smoke alarms and thermostats and the alerting-type systems, which are fairly unique in that they will ride on your existing Wi-Fi network; however, if you don't have a Wi-Fi network, or if you choose not to use it, they will create their own Wi-Fi segment [using Wi-Fi Direct] so they can communicate with each other and provide access through a single keypad. Those are really nice because they mitigate risk by segmenting them from your Wi-Fi network.
CIO: Do you personally use any of these gadgets and services we discussed?
Irvine: I do not personally use them, because I don't trust them.
CIO: What's the most important advice you can give consumers who are diving into the IoT?
Irvine: There'd be two things: Put [the IoT devices] on a separate network, on a VLAN; and only communicate to them with a VPN. Don't allow any non-encrypted traffic to communicate with them. So segment them and communicate them with a VPN. Use different user IDs and passwords. And use complex passwords. Alphanumeric, upper case, lower case, special characters. Not just "12345" for a password. Complex passwords.