Late last month, in the wake of a Mirai-malware hacking – in which millions of home devices from DVRs to webcams attacked core internet providers in a massive denial of service attack – Andrew McGill of Atlantic Media ran an experiment to understand how long it would take for an unprotected connected home device to be attacked by hackers. With the help of Amazon’s web services, McGill created a fake “smart toaster” connected to the internet and waited. Within forty minutes, the first hacker attempted to wrest control of the toaster. From then it only took an additional fourteen minutes for the next attack. By the end of the day, McGill’s toaster had been attacked over 300 times.
Forecasters estimate that there are already 4 billion connected devices in use by consumers now, and that we will have over 13.5 billion connected consumer devices by 2020. From your smart phone to your smart vacuum cleaner (cats and Roombas anyone?) to your programmable Christmas lights, connected, smart devices are building out a ubiquitous, machine-to-machine internet. Inert devices connected to nothing other than an electrical outlet will become the exception not the rule. With this increased ubiquity comes a broader attack surface for potential hackers to compromise and many more potential sources of data breach, for data that we may not even recognize is being collected as we go about our daily lives. As one friend likes to point out, when welcoming Amazon’s Alexa system into the home, it’s nice to think that you can press mute and prevent it from recording inside the home, but if compromised that mute button may just turn on a red LED.
Making the challenge more difficult, many hardware manufacturers are decades behind their software and computer compatriots in engineering cybersecurity into their product design. The recent Mirai attack was abetted by the number of manufacturers that released devices into the world with little but flimsy factory-programmed passwords protecting them. As McGill discovered in his adventure with the fake smart toaster, these factory-programmed passwords are often the first to be tested by hackers in an effort to take control of a device. But for most consumers, managing the passwords on their computer and smart phone is already a struggle – and to be honest, when was the last time many of us changed these passwords? Or even realized that our smart toaster had a password? And are we, the consumers really the ones responsible?
Enter Icon Labs which helps traditional manufacturers navigate the cyber security morass associated with connecting devices into the Internet of Things. By providing off-the-shelf and customizable cyber security solutions which can be “embedded” on physical products and devices, Icon Labs is providing a much needed solution for over 100 original equipment manufacturers, from Maytag to GE. Icon Labs is just one of several players in the estimated $20 billion Internet of Things cybersecurity market. Icon Labs specializes in providing solutions that work for connected devices, recognizing that the small memory and processing capacity of these devices presents unique challenges when it comes to protecting them. In addition, Icon Labs helps manufacturers manage and protect device passwords, recognizing that factory-produced passwords are often the first to be compromised as they were with the recent Mirai attack.
Icon Labs’ services may become even more valuable for manufacturers as the legal and regulatory regime surrounding the Internet of Things evolves. The question of who is responsible for maintaining the security of connected devices is still an open one today – but increasingly it looks like the original manufacturer may foot the bill. Already, the Federal Trade Commission has taken one enforcement action against a device manufacturer for selling insecure internet routers. And perhaps in recognition of potential product liability, a webcam manufacturer has issued a recall for several of the webcams that were used in last month’s Internet of Things denial of service attack.
The Internet of Things is growing quickly as more devices from your doorbell to your toaster oven become connected to the internet, with more machines using the internet than human beings. Cybersecurity for the Internet of Things will have to grow up even faster. Companies like Icon Labs are well positioned to sell a much needed service to product manufacturers looking to prevent their appliances from becoming robotic slaves to the bot-net.
Word Count: 800
Image Credit: Disney’s Brave Little Toaster, from Wikia
 McGill, Andrew. The Inevitability of Being Hacked: We built a fake web toaster, and it was compromised in an hour. The Atlantic. October 28, 2016. (http://www.theatlantic.com/technology/archive/2016/10/we-built-a-fake-web-toaster-and-it-was-hacked-in-an-hour/505571/).
 Icon Labs Company Website. (http://www.iconlabs.com/prod/about).
 Business Insider Intelligence. IoT Security Market Report. February 2016. (http://www.businessinsider.com/iot-devices-are-changing-cybersecurity)
 Waddell, Kaveh. Who’s Responsible When Your DVR Launches a Cyberattack? The Atlantic Monthly. October 25, 2016. (http://www.theatlantic.com/technology/archive/2016/10/whos-responsible-when-your-dvr-launches-a-cyberattack/505322/).