Security is not being designed into new smart devices because a rush to market takes precedence
Smart technology and the internet of things (we’ll call it IoT for business, and smart devices for the home) is developing fast, often with little or no built-in security. At home, seduced by the attraction of new technology, we buy and use these smart technologies with little or no understanding of the dangers that the IoT can bring.
A 2018 survey found that only 20% of users have a comfortable understanding of smart technology, and more than 50% are unconcerned about privacy issues. There's a failure of communication between the hardware innovators, the security industry, and consumers. Our understanding of what is and isn’t a smart device, how it interacts with the internet, and how it all correlates to our personal data is often hazy. Security is not being designed into new smart devices because the manufacturers’ rush to market takes precedence.
“Smart” implies two things: some processing capability and internet connectivity. Anything with a processor can be hacked; and anything with a processor and internet connectivity can be hacked remotely. It is the implication of this that gets left behind by manufacturers’ rush for profit, and our own rush for cred.
This applies to big smart devices and small smart devices; important devices and silly devices; devices inside the home and devices outside of the home.
Smart devices connect to our home networks to take advantage of the cloud. We often download an app to our phones to be able to control them conveniently and remotely. We probably also know some of the most familiar smart devices: Amazon’s Alexa speakers, robot vacuums like the Roomba, our smart and internet-connected TVs, and so on.
The possibility of widely available self-driving cars in the near future has captured our imaginations, but also fed our paranoia. A 2015 video demonstrated how hackers were able to hack into a smart Jeep Cherokee. The vehicle’s entertainment center was the only component directly connected to the cloud, but once that was compromised the hackers were able to take complete control of the vehicle, including steering, acceleration and braking, much to the driver’s terror.
Things haven’t improved much in the last few years. In 2018, a team of ethical hackers from China discovered and disclosed 14 security vulnerabilities in BMW cars that had been present since 2012.
Even scarier than our cars being hacked, medical devices like pacemakers, insulin pumps and vital signal monitors have been shown to be hackable, with potentially dire results. Readers may recall Gunnery Sergeant Nick Brody from the television series “Homeland.” Brody engineered the murder of Vice President William Walden by facilitating a pacemaker hack that increased Walden's heart rate until he had a heart attack. It’s not entirely implausible.
It's not just our own smart devices that should worry us. Modern public surveillance equipment and CCTV networks are also smart devices. However, such devices that are meant to enhance our security can sometimes have the opposite effect. Many different connected camera systems have security vulnerabilities. This was demonstrated by security firm Senrio, which was able to execute what it called Rube Goldberg Attacks. Senrio first took complete control of a single security camera, then jumped to the connected router, then spread its control to the entire network. When the right vulnerabilities are present, a single device can compromise the entire network. And if that happens, who knows who is watching you, where, or why?
In April 2017, a hacker or hackers breached the Dallas outdoor warning system. This is a network of sirens designed to warn the public to stay indoors. They were activated over a dozen times in a two-hour period before and after midnight — until engineers succeeded in manually disabling them.
Electronic traffic alert signs have been a favorite target. Hackers have taken over the electronics and transmitted their own warnings: “Rogue Panda on rampage,” “Zombie attack! Evacuate,” and “All you f***s gon be late, LOL.”
From potentially life-threatening devices and the threat of public surveillance being taken over by malicious actors, we come to what should be one of the most innocent and safe applications of smart technology: children’s products. Surprisingly, these seem to be one of the most insecure and heavily-targeted categories in the smart device ecosystem. As recently as February 2019, a German-manufactured children’s smart watch was recalled by the EU when its controller app was found to have significant vulnerabilities. The device could potentially have been compromised to allow hackers to track the child’s movements in real time, or spoof the GPS location data to deceive parents.
A line of smart connected toys called CloudPets was dropped from Amazon and eBay in 2018 after multiple security issues were discovered. This toy allowed children to record or receive messages between the toy and its smartphone app. Not only was this functionality easily hijacked, but the company behind CloudPets suffered a data breach, exposing the details of half a million customers.
The widespread and damaging security issues in children’s toys have been so significant that in 2017, an interactive doll named My Friend Cayla was labeled “an illegal espionage apparatus” by Germany’s Federal Network Agency.
We’ve seen some of the more alarming, and humorous, dangers of smart, connected devices. We could assume that the less tech-intensive smart devices — a refrigerator that you can control from your phone, a smart robo-vac machine that can be scheduled to clean at certain times — would be safer. This is not so. No matter how small, inconsequential, or apparently self-contained a smart device may appear, you should never ignore its security.
The internet of things (which is the more common business term for smart devices) is becoming a close partner with malicious botnets. The Mirai botnet is probably the best known. It rose to prominence in 2016 when it was used to target blogger Brian Krebs with the largest DDoS ever (there have been bigger ones since).
Most people think of routers and webcams as the primary members of an IoT botnet. But this is no longer true. All an IoT botnet needs is for the device to have an IP address and be able to transmit. This applies to most smart devices. In fact, as long ago as 2013, a Proofpoint researcher coined the phrase “Thingbot” as a potential replacement for IoT botnet. Spam was being delivered by a botnet comprising, among other devices, smart refrigerators and smart TVs.
IoT and smart devices have now become a bigger target for hackers than web applications or servers. A 2018 report from F5 Networks states, “Outside of the routine use of SOHO routers, DVRs, and IP cameras, things like your TV, oven, refrigerator, Amazon Alexa, Siri and Google Assistant, Keurig coffee maker (yes, we have attack traffic coming from a Kuerig), and toys have been breached and are used to spy, collect data, or launch attacks.”
With IoT and smart devices expected to grow to more than 30 billion by 2020 — and perhaps more than 75 billion by 2025 — the problem of IoT botnets and Thingbots is only going to worsen.
While any device with even a small amount of processing power connected to the internet can be a cog in the machine of malicious botnets, this is not the only motivation that hackers have for going after the smaller or more frivolous smart devices. A compromised IoT device can often lead to other devices on the same network being compromised. Perhaps you didn’t change the default password on a smart sprinkler for your garden — after all, what’s the worst that could happen? The grass gets overwatered because it won’t switch off? But this could allow hackers to spread malware over your home network, either recruiting your other IoT devices into a botnet, or reading your personal information from your smartphone apps — or perhaps secretly watching you via your own security cameras.
Speaking of apps, it’s important to remember that physical devices do not comprise the entirety of the internet of things. Almost every smart gadget will have a corresponding app, whether on PC or mobile, to help you control and get the most out of the device. Sometimes these apps are optional, but often they’re required in order to fully use the device. The issue with this is that the apps can be just as badly-secured as the devices. Recent research (January 2019) by Brazilian and American universities has found that 31% of the best-selling IoT devices had no data encryption whatsoever, while another 19% had encryption which was easy to reverse-engineer and break. This leaves half of all IoT controller apps with insufficient security.
The bad news is that users like us are only part of the process required for improving IoT security. A great deal of work still needs to be done by those innovating the devices and designing the control applications. The good news is that we’re not powerless to keep ourselves secure — and of course we have third-party security companies like Avast to help. If you’re worried about smart security or you’re well-connected to the internet of things, take a look at Avast Smart Life for an intelligent extra layer of device security. While you do that, don’t forget that there are other practices we can adopt to keep our devices as safe as possible.
This applies to any software or service that we use, and it holds no less true for our smart devices. Make sure any controller apps for these devices are kept up to date to protect against known vulnerabilities. Some IoT products may also have firmware which needs to be updated independently. This applies especially to routers; check the Avast blog on routers in the smart home for further reading.
And if the device comes with a password that you can change, make changing the password your first priority. There are great tips on passwords and how to create strong passwords here.
And finally, another near-universal security tip to always bear in mind with the internet of things and smart devices: don’t share more of your personal data than you absolutely need to for the device to work. Your options for this depend on the specific device, and some may lock off sections of their functionality until you provide an email address or other contact information. In general, if you can withhold your contact or financial information from a controller app, it’s safest to do so. Make sure to enjoy your connected home while keeping your personal information from potential exposure.
Kevin Townsend is a guest blogger on the Avast Blog where you can catch up on all the latest security news. Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world with award-winning free antivirus and keeping their online activities private with VPN and other privacy products. Join in the conversation with Avast on Facebook and Twitter.
When examining where along the supply chain a breach happened, we can almost always point to users practicing poor security. Here's how we can prevent user error much earlier in the process.
Many companies already have their hands full trying to improve their security posture as they migrate their IT systems to the cloud. IoT risks have been a subset concern. But now, Covid-19 has shoved IoT exposures to the front burner.