In the past few years, the Internet of Things has caused an uproar of excitement in the tech community. Apple, Amazon, Google and Samsung have been locked in a race to unleash a torrent of new devices, and by 2020, Gartner estimates that 25 billion connected devices will be in use.
They’re not wrong. Technology is exciting, considering it wasn’t long ago that TV and movies were boasting about the future interconnectivity of the world. The IoT will show consumers the reality of so many childhood imaginations.
Unfortunately, in the rush to throw themselves over the bleeding edge of technology, many companies haven’t taken the necessary steps to ensure those devices are secure. Think of the IoT as the tech industry’s drunken bender: Everybody’s having a great time, but nobody thought to bring a designated driver to the party.
The monster lurking in the smart fridge
The prospect of a smartwatch that can help you lose weight or a refrigerator that can tell you to buy eggs is exhilarating, but few consumers are aware of the risks those connected devices pose. After all, who cares if a hacker sees that you didn’t walk 10,000 steps? Most people don’t consider that those devices can allow hackers to access valuable data or even cause bodily harm.
For instance, hackers recently uncovered a bug in a Samsung smart refrigerator that would allow them to steal users’ Gmail login credentials through a man-in-the-middle attack. With those credentials, a hacker would have full access to everything from your other login credentials to complete access to the mobile apps on your phone.
The idea of personal data falling into the wrong hands from a seemingly innocuous appliance is scary, but when you take a Bluetooth remote and connect it to a device that zooms down the street, the consequences become terrifying.
Hacks that pose a physical danger
When Stripe security engineer Richo Healey’s electric skateboard came to a dead stop and pitched him into the street, he instantly considered that his board had been hacked.
In reality, Bluetooth noise from Healey’s neighborhood had caused the device to malfunction, and he and fellow security expert Mike Ryan launched into a research project on Bluetooth sniffing.
During the course of their research, Healey and Ryan discovered that three popular electric skateboard manufacturers didn’t encrypt communication between their boards and remotes, so hackers exploiting the vulnerability could cause a board to stop abruptly, cut the brakes or make the board fly into reverse.
As if the FacePlant hack wasn’t bad enough, Charlie Miller and Chris Valasek recently uncovered a bug that would allow a hacker to hijack any Chrysler vehicle with a vulnerable Uconnect computer and send commands through the vehicle’s entertainment system.
In one experiment, the hackers took control of a Jeep Cherokee driven by a human crash test dummy. As the Jeep barreled down a busy highway, Miller and Valasek cranked up the stereo, cut the transmission, disabled the brakes and finally sent the Jeep into a ditch.
After scanning the wireless network for vulnerable vehicles, Miller estimated that there were 471,000 hackable vehicles on the road that could be commandeered. Chrysler released a security patch when the team notified it of the vulnerability, but the auto industry as a whole has been slow to implement tighter security measures.
In 2013, U.S. Senator Edward Markey sent a letter to 20 automakers asking them about their security practices. Of the 16 respondents, fewer than half said they had hired third-party security firms to test their vehicles for vulnerabilities, and only two had monitoring systems in place to check for malicious commands.
Miller and Valasek presented their findings at the Black Hat security conference last month. Other speakers included a pair of researchers who discovered how to disable and change the target of a Wi-Fi-enabled sniper rifle and another team that showed how a chemical plant could be hacked and manipulated.
Of course, tampering with chemical production is exceedingly complicated, but the millions of smart devices taking residence in homes and businesses are much easier to hack.
Weighing the real risks
In reality, it’s unlikely hackers would waste their time messing with electric skateboards for the sole purpose of injuring riders. But as criminals figure out how to hijack these devices, they could pose an enormous risk to public safety and the global economy.
The types of hackers vary wildly from disgruntled former employees to politically motivated cyberterrorists. However, most hackers are looking for some sort of return on investment (e.g., money, notoriety or political gain). The more smart devices that make their way into people’s lives, the easier it is to siphon or extort money without getting caught.
For instance, if hackers invested in natural gas and then found a way to install a virus in every Nest thermostat across the country, a 1 percent to 2 percent uptick in energy usage would be enough to generate millions in earnings. Or consider the possible threat of your Internet-connected car being bricked for ransom. PC-based “ransomware schemes” have been on a steady rise, and a recent report shows they often yield a whopping 1,425 percent ROI. This kind of attack has been used aggressively on mobile phones, so the move to personal vehicles seems inevitable.
The IoT isn’t going away, and these risks don’t mean we shouldn’t use connected devices. But if we’re going to continue pushing the boundaries of our Internet-connected world, we need everyone on every level within a company to accept ownership of security standards and to recognize that we’re trying to create a safer world.
The IoT has the ability to make our world a better place — one filled with healthier people, greater efficiency and more access across the board. Like any raging party, it’s going to be a lot of fun, but we need to have the foresight to think moderately so we don’t pass out in the middle of the street before morning.
Daniel Riedel is the CEO of New Context, a rapidly growing consulting company in the heart of downtown San Francisco that specializes in lean security and helping companies build better software. Daniel has experience in engineering, operations, analytics and product development. Previously, he founded a variety of ventures that worked with companies such as Disney, AT&T and the National Science Foundation. Reach him @riedelinc.
This article originally appeared on Recode.net.