implement controls to lock out accounts if too many unsuccessful login attempts were made
in a given period of time.
This celebrity breach demonstrates how the use of a static password makes it easy for
potential attackers to gain access to private information. Sophisticated IoT devices such as the
Tesla Model S also use static passwords that can be easily guessed, allowing attackers to track
vehicles, unlock them, and even start them and drive away.
In addition to the cloud infrastructure implemented by the IoT device manufacturers
themselves, platforms such as IFTTT and Apple’s HomeKit will be included in the potential
attack surface. We’ve already seen how easy it is to connect our online spaces, such as email
and social networks, with IoT devices such as lightbulbs and door locks. Compromising
someone’s IFTTT account gives the attacker control over all of the virtual and physical services
tied to the victim’s account.
Apple’s HomeKit service, which is built into iOS, is another example of a platform that
will be of interest to attackers. The HomeKit service allows IoT device manufacturers to seam-
lessly work with Apple devices, even allowing the users to control their devices remotely. The
goal of HomeKit is to allow users to easily set up new devices and then control them using
Siri. Other big software companies like Google and Microsoft are also implementing frame-
works like HomeKit to enable the emergence of consumer-based IoT devices. Frameworks
and services such as these will become popular since they allow users to seamlessly interact
with and control their IoT devices. Apple has done a good job of setting clear guidelines stat-
ing that developers who use HomeKit must not leverage the data gathered from the APIs for
advertising and data mining. However, cybersecurity researchers and malicious attackers
(including disgruntled employees who have access to these systems) will be drawn to potential
vulnerabilities in such services that can be exploited to gain access to data available from vari-
ous devices in the victims’ homes.
In the recent past, breaches of cloud services have contributed to loss of privacy for vic-
tims and financial gain for attackers. In the near future, attackers will look into exploiting
cloud services to gain access to and abuse the functionality of IoT devices to further invade
our privacy and potentially compromise our physical safety.
Backdoors
There have been various reports that the NSA may have intercepted devices such as network
routers and planted backdoors in them. (A backdoor is a software or hardware modification of
a device that allows the modifier to monitor and control the device remotely.) American gov-
ernment agencies have also aggressively lobbied for popular hardware and software manufac-
turers such as Apple, Google, and Microsoft to build in mechanisms that would allow law
enforcement agencies to monitor and obtain data from personal devices such as smartphones.
The Chinese government is routinely accused of building backdoors into hardware and
software produced in that country. Given that China is a major hub of hardware production,
BACKDOORS 239