Skip to main content
The Globe and Mail
Support Quality Journalism
The Globe and Mail
First Access to Latest
Investment News
Collection of curated
e-books and guides
Inform your decisions via
Globe Investor Tools
per week
for first 24 weeks

Enjoy unlimited digital access
Enjoy Unlimited Digital Access
Get full access to
Just $1.99 per week for the first 24 weeks
Just $1.99 per week for the first 24 weeks
var select={root:".js-sub-pencil",control:".js-sub-pencil-control",open:"o-sub-pencil--open",closed:"o-sub-pencil--closed"},dom={},allowExpand=!0;function pencilInit(o){var e=arguments.length>1&&void 0!==arguments[1]&&arguments[1];select.root=o,dom.root=document.querySelector(select.root),dom.root&&(dom.control=document.querySelector(select.control),dom.control.addEventListener("click",onToggleClicked),setPanelState(e),window.addEventListener("scroll",onWindowScroll),dom.root.removeAttribute("hidden"))}function isPanelOpen(){return dom.root.classList.contains(}function setPanelState(o){dom.root.classList[o?"add":"remove"](,dom.root.classList[o?"remove":"add"](select.closed),dom.control.setAttribute("aria-expanded",o)}function onToggleClicked(){var l=!isPanelOpen();setPanelState(l)}function onWindowScroll(){window.requestAnimationFrame(function() {var l=isPanelOpen(),n=0===(document.body.scrollTop||document.documentElement.scrollTop);n||l||!allowExpand?n&&l&&(allowExpand=!0,setPanelState(!1)):(allowExpand=!1,setPanelState(!0))});}pencilInit(".js-sub-pencil",!1); // via darwin-bg var slideIndex = 0; carousel(); function carousel() { var i; var x = document.getElementsByClassName("subs_valueprop"); for (i = 0; i < x.length; i++) { x[i].style.display = "none"; } slideIndex++; if (slideIndex> x.length) { slideIndex = 1; } x[slideIndex - 1].style.display = "block"; setTimeout(carousel, 2500); }

Security expert Ted Harrington says says hackers exploit smart devices as a point of entry because they are often poorly protected.

Darren Calabrese/The Globe and Mail

This article is part of a series called The Future is Smart: How the Internet of things is changing business.

Follow the series at

When it comes to the security of the Internet of Things, technology companies are thinking about it all wrong.

Story continues below advertisement

"Privacy is not the main problem," Ted Harrington, executive partner with Baltimore-based Independent Security Evaluators (ISE), told a room of IT professionals at the annual SC Congress digital security conference in Toronto last week.

"Why would I care about my connected light bulb getting hacked? At worst, someone gets information about how often I turn on or off my lights. Maybe an adversary could even annoy me by turning off my lights. How bad is that?" Mr. Harrington asks.

But think of that "smart" light bulb as a chink in the armour of digital security. Mr. Harrington's research has found that makers of connected devices have failed to design strong protections against attackers: He's seen everything from unchangeable hard-coded passwords to unencrypted data connections. And there is a growing number of connected devices showing up in homes, cars, businesses and on our bodies.

"All these connected devices are connected to each other: So you compromise that light bulb as a pivot point … you pivot into the network the light bulb is a part of, and now you get the assets that are contained therein," Mr. Harrington says.

Those assets could include banking information, identity credentials or control of a system for use in a criminal botnet. He has stark advice for any potential buyer of a smart fridge or thermostat: "Connected devices enable attackers. That stuff's not safe right now. "

In 2014, Hewlett-Packard Co. released a research report that concluded 70 per cent of "Internet of Things" connected devices were vulnerable to hacks, either through weak passwords or unencrypted connections. Mr. Harrington's team, which has cracked a few "unhackable" systems in the past (immobilizing relays on cars, the iPhone), decided to test the 13 most popular home routers on the market. In any connected home, the router is the central hub that provides wireless data, and ISE thought they'd be able to break into maybe 30 per cent of the top-rated, top-selling routers on Amazon or Best Buy. They broke into 100 per cent of them.

"In 2010, the number of 'things' surpassed the number of people connected to the Internet. That curve now is exponential," says David Kleidermacher, chief security officer for Waterloo, Ont.-based BlackBerry Inc.

Story continues below advertisement

"If we think we have trouble securing a billion mobile devices, imagine when we have hundreds of billions and ultimately trillions of things connected to the Internet. It doesn't take a lot of convincing for people to realize that we do face a very big challenge."

For Mr. Harrington and Mr. Kleidermacher, the key weakness of most tech companies and their Internet of Things (IoT) customers is a failure to create a "threat model" and test security against that. "If they don't know what they are trying to defend, and who they are trying to defend it against," says Mr. Harrington, "any security measure and no security measure applies."

One of his bugbears is the current standard for security research, so-called black box tests: Take a device, with no prior knowledge of its function, and try to break into it. As Mr. Harrington says, that's not actually how most hacks happen. He prefers "white box" hacks, where testers have plans and know-how about how a system works, and then see if they can compromise it. It's an alien concept to many hardware and software makers.

"Whether it's IoT or not, the way that adversaries look at all systems is what's known as a stepping-stone attack. You attack the weakest device , and an IoT device usually has weak or no authentication with other devices on that same network."

That's how a hacked router can direct a connected computer to download malicious code that infects what's supposed to be a closed, safe system. And there's no anti-virus for routers.

Mr. Kleidermacher shares Mr. Harrington's distrust of traditional security research practices, and BlackBerry's security business hopes not only to help customers find vulnerabilities, but also build systems to be more secure.

Story continues below advertisement

BlackBerry has its own secure IoT offerings, focusing first on connected cars, shipping and smart meters, but it wants to help secure every "thing" on the Internet. In April, it unveiled the Center for High Assurance Computing Excellence (CHACE), which BlackBerry hopes can help create a common standard and certification system for Internet of Things security.

"How does the independent stakeholder know that [a new IoT system] is secure? How can they have confidence that a vendor … can come to them with some solution? There is no such standard; that's something BlackBerry is hoping to solve," says Mr. Kleidermacher.

Mr. Harrington's company was born out of the computer science PhD program at Johns Hopkins University, and he agrees there is a critical need for accountability.

"Health care is really messed up from a security perspective," Mr. Harrington says. " People who make medical devices have to get [U.S. Food and Drug Administration] approval, but no part of the FDA approval process is working with an organization like ours [that] understands how to make them more secure."

Report an error Editorial code of conduct
Tickers mentioned in this story
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to If you want to write a letter to the editor, please forward to

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

Read our community guidelines here

Discussion loading ...

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies