Let’s say you’re about to connect a new IoT device to your network. It could be a smart TV, a camera, a remote doorbell, or even a drone. How can you know if it is secure? What are some ways that security can fail? In this article, I will list the most common reasons for security failure.
Failure Reason #1 – The device itself is insecure. Even the best-written software, by large companies with huge budgets for security testing, will contain exploitable security holes from time to time. That’s why large software companies, such as Microsoft and Apple, regularly issue security updates. Unfortunately, the companies that develop connected devices may not have nearly as many resources to devote to security testing. And unlike your computer or iPhone, software updates might not be automatic. In fact, some IoT devices may not even be update-able at all! Once security flaws are found, hackers quickly write programs to exploit them, and share these programs with other hackers. As discussed in a previous article, these hackers are then able to hijack the device in a variety of ways – ranging from denial of service to spying to creating a remote hacking platform that cannot be traced back to them.
Failure Reason #2 – The device is improperly set up. Perhaps the latest software updates have been installed on the device, and there are no known security vulnerabilities with the software. It could still be hacked if care is not taken in setting it up. Perhaps you forget to change the default password. Or you pick a password that is easy to guess. Hackers have written software that can try hundreds of different passwords a minute. So if you use something obvious – including names of sports teams, personal information such as a phone number or street name, or any word that is found in a dictionary or other public document, your device is still at risk. As mentioned in a previous article, your password may also have been stolen from another, less-secure, device or account. So if you use the same password (or a similar one) for more than one device, your security is still at risk regardless how secure the device itself is.
Failure Reason #3 – Insecure data storage. Even given a secure device, properly set up, it could still be possible for the device to be compromised. Perhaps the company that is hosting your device’s data “in the cloud” is hacked, as is described in this news article about Ring Cam credentials being leaked on the web. And keep in mind too that other data besides that captured by the device could be leaked as well. Including, but not limited to, your email address and WiFi password.
Failure Reason #4 – dishonest or disingenuous vendor. All of the above scenarios assume that the vendor is reputable and honest. But what if they are not? In the worst case, the company could have dishonest intentions. While that article is about smart phone software, the same principle applies to IoT devices. Or perhaps the company is not blatantly dishonest. However, maybe they have something buried in the middle of a multi-page User Agreement that says you agree to the collection of personal data. For example, that you agree to allow the use of audio captured by a voice assistant as training data, or even to target ads for things you mention within earshot of the device. Or you agree to have data about which TV shows you watch sold to media firms. Not a big deal? Perhaps. But remember, your room audio or video or the list of TV and movies you watch is likely stored in the cloud someplace, on the company’s servers. Suppose these servers are hacked. Are you comfortable with the hackers publicly posting your home audio or video footage, or your TV and movie viewing habits, along with your full name and email address?
Failure Prevention. So what steps can be taken to minimize the chances of something going wrong? First, make sure software for the device is updated regularly, and that you have the latest updates installed. Second, be careful in setting up the device. Particularly when it comes to picking a good password – not one that is easy to guess or is the same as a password you are using elsewhere. Third, check the company’s reputation for security – both for the device and their internal data security. Perhaps do a web search on the device name along with words such as “security” or “hacked”. Fourth, understand the company’s use of data. Make sure you are okay with the data that is being collected. Make sure you would still be okay with it if this data should fall into the hands of hackers.