“If you plug something into the electrical grid in the future, you will also plug it into the internet grid,” Mikko Hypponen, F-Secure’s Chief Research Officer, said at the launch evening of Vodafone IoT Hackathon at the Digital Catapult Centre in London, before introducing the “law” he has coined to explain the risks of the emerging Internet of Things, which he sometimes refers to as “The Internet of Insecure Things.”
Hypponen’s law goes like this:
Whenever an appliance is described as being ‘smart’, it’s vulnerable
“So here we have a ‘smart’ phone — a vulnerable phone,” he continued. “A smart watch — a vulnerable watch. Smart car… Smart city… You get the point.”
These vulnerabilities, he argues, all stem from a basic fact of computing: If something can be programmed, it can be hacked.
“And in some cases, it may be devices that aren’t traditionally connected to the Internet.”
One example? An IoT mattress.
Yes, an IoT mattress:
“They actually put sensors inside the mattress,” Mikko said. “And then they have an app that will warn you when you’re out of your house if someone is using the mattress without your knowledge in a ‘suspicious’ way. This is a real product. They really are making this.”
So what’s the problem with connecting everything to the internet?
“Last month we found a vulnerability in dishwashers,” he said. “When you connect to the web server on a Miele dishwasher, there would be a Web Server Directory Traversal vulnerability and by using this getScript, you would actually get the password from the system.”
He paused for a moment.
“Let me just repeat the beginning of my last sentence,” he said. “When you connect to the web server on your dishwasher… What? Why would you have a web server on your dishwasher?”
Why, indeed? Is it even for your benefit?
“This is the world we’re going to,” Mikko said. “It’s going to happen whether we like it or not.”
Which is why we all better learn Hypponen’s law and prepare accordingly.