"If I can hack my lights I can probably do the same for my neighbour's room..."
Purism CTO Zlatan Todorić: 'The Internet of Things is really horrible'
Hacking a website is so 1990s. Today, hacking Internet of Things (IoT) devices is where the cool hackers are hacking.
And, in many cases, it's almost an open door. A short while ago, while staying at a London hotel, security developer Matthew Garrett hacked the light controls in his room, then blogged about it.
He's not the only, though. "I did the same thing," said Zlatan Todorić, chief technology officer at Purism, a developer of laptops and open source software, speaking to V3.co.uk sister publication Computing at the Privacy Advantage event in London last week.
"I noticed that there was this sort of smartphone to control all the lights and I thought 'ah, this is some sort of IoT device'. If it can send and receive signals it must have a network interface, and if it has a network interface then awesome, it's exploitable."
With a little effort Todorić hacked the system and succeeded in controlling the lights in his room from his laptop.
"Then I thought, if I can hack my lights I can probably do the same for my neighbour's room and I gave him a special light show and I could hear him shouting and complaining ‘what the hell's going on?'" he laughed.
"So, then I thought let's take it to the next step. The servers must be on the same network, so I looked around and found them in the clear, unprotected. So I hacked their servers and then I went down and told them what I'd done and said 'you really need to change this'."
So far, so geeky hi-jinks, but what this shows is just how vulnerable such systems are to those with a bit of technical know-how if they are not properly secured. As "smart" devices proliferate, they open up a huge range of potential entry points for hackers.
"The Internet of Things is really horrible," Todorić said. "Everyone's excited by their toaster being smart, but it's not smart, it's stupid. There's no such thing as a smart device. [A human being] creates software that says computationally how that thing will work, and that's all it does. It's stupid.
"Don't give information to your fridge. Don't give your information to a toaster. If I hack your toaster and it's connected to your phone I'm going to hack your phone. If I hack your phone I can get to your inbox and I can create fake data about you if I want to."
In Computing's latest research, device and data security (or the lack thereof) and a need for proper data protection and privacy frameworks were found to be the chief impediments to the wider adoption of connected IoT devices