Connected Device Security – What could go wrong?

 

Let’s say you’re about to connect a new IoT device to your network.  It could be a smart TV, a camera, a remote doorbell, or even a drone.  How can you know if it is secure?  What are some ways that security can fail?  In this article, I will list the most common reasons for security failure.

Failure Reason #1 – The device itself is insecure.  Even the best-written software, by large companies with huge budgets for security testing, will contain exploitable security holes from time to time.  That’s why large software companies, such as Microsoft and Apple, regularly issue security updates.  Unfortunately, the companies that develop connected devices may not have nearly as many resources to devote to security testing.  And unlike your computer or iPhone, software updates might not be automatic.  In fact, some IoT devices may not even be update-able at all!  Once security flaws are found, hackers quickly write programs to exploit them, and share these programs with other hackers.   As discussed in a previous article, these hackers are then able to hijack the device in a variety of ways – ranging from denial of service to spying to creating a remote hacking platform that cannot  be traced back to them.

Failure Reason #2 – The device is improperly set up.  Perhaps the latest software updates have been installed on the device, and there are no known security vulnerabilities with the software.  It could still be hacked if care is not taken in setting it up.  Perhaps you forget to change the default password.  Or you pick a password that is easy to guess.  Hackers have written software that can try hundreds of different passwords a minute.  So if you use something obvious – including names of sports teams, personal information such as a phone number or street name, or any word that is found in a dictionary or other public document, your device is still at risk.  As mentioned in a previous article, your password may also have been stolen from another, less-secure, device or account.  So if you use the same password (or a similar one) for more than one device, your security is still at risk regardless how secure the device itself is.

Failure Reason #3 – Insecure data storage.  Even given a secure device, properly set up, it could still be possible for the device to be compromised.  Perhaps the company that is hosting your device’s data “in the cloud” is hacked, as is described in this news article about Ring Cam credentials being leaked on the web.  And keep in mind too that other data besides that captured by the device could be leaked as well.  Including, but not limited to, your email address and WiFi password.

Failure Reason #4 – dishonest or disingenuous vendor.  All of the above scenarios assume that the vendor is reputable and honest.  But what if they are not?  In the worst case, the company could have dishonest intentions.  While that article is about smart phone software, the same principle applies to IoT devices.  Or perhaps the company is not blatantly dishonest.  However, maybe they have something buried in the middle of a multi-page User Agreement that says you agree to the collection of personal data.  For example, that you agree to allow the use of audio captured by a voice assistant as training data, or even to target ads for things you mention within earshot of the device.  Or you agree to have data about which TV shows you watch sold to media firms.  Not a big deal?  Perhaps.  But remember,  your room audio or video or the list of TV and movies you watch is likely stored in the cloud someplace, on the company’s servers.  Suppose these servers are hacked.  Are you comfortable with the hackers publicly posting your home audio or video footage, or your TV and movie viewing habits, along with your full name and email address?

Failure Prevention.  So what steps can be taken to minimize the chances of something going wrong?  First, make sure software for the device is updated regularly, and that you have the latest updates installed.  Second, be careful in setting up the device.  Particularly when it comes to picking a good password – not one that is easy to guess or is the same as a password you are using elsewhere.  Third, check the company’s reputation for security – both for the device and their internal data security.  Perhaps do a web search on the device name along with words such as “security” or “hacked”.  Fourth, understand the company’s use of data.  Make sure you are okay with the data that is being collected.  Make sure you would still be okay with it if this data should fall into the hands of hackers.

 

Security for IoT Home Devices – It really is a big deal!

Last week, I saw several news stories about dramatic hacks of home IoT devices.  One involved  a hacker using a home security camera to talk with an 8-year-old girl.   Another showed a hacker taunting a family with loud noises and racial slurs.

It might seem obvious that a webcam is something that needs to be secured from hackers.  But what about all the other IoT devices connected to one’s home network?  I often hear comments like “okay, so someone hacks my smart light bulb.  They can change the color of the light in my room.  Big deal.  And besides, why would someone target a light bulb, when they could be hacking banks and credit card accounts?”

Think again!  The most humble IoT device, such as a smart light bulb, likely has full access to your home network.  That means it can access every computer, storage device, and every other IoT device on your network.  Any confidential bank information backed up on the network storage device?  Any confidential documents from work?  A hacker who successfully compromises the smart light bulb has full access.  In the case of the Ring cameras that were the subject of the above news stories, it appears that the cameras themselves were secure, but passwords revealed by hacking other home IoT devices were used to log into them.

A compromised device can also be used to hack anonymously, since the hacking attempts will appear to originate from the victim’s network instead of that of the hacker.  In some cases, the victim may not even be aware that the device has been hacked, since it may appear to be functioning normally.  In late 2016, hacked thermostats and other smart devices were used for denial of service attacks that crippled a large portion of the internet.

We all love to hate Windows updates, which seem to occur right when we need to get something done right away.  But such updates serve a valuable purpose.  They fix newly-discovered vulnerabilities before hackers have a chance to exploit them.  They are supported by Microsoft – a huge company with vast resources.  Will a company that makes a $15 smart light bulb have similar resources to ensure that vulnerabilities are patched?  Even if they do, how will these updates be deployed?  When was the last time you updated the software in your smart light bulb?  How many smart light bulbs even have the capability of having their software updated when critical vulnerabilities are found?

This all assumes, of course, that the company that made the IoT device is honest, and does not have ulterior motives.  But even that is not always the case.  Does the company that made your smart TV have a known reputation for honesty and transparency?  Or is the reason they are able to sell the products at a “bargain price” perhaps that they make money in other ways besides the sale price?  For example, a smart TV that collects information on your viewing habits and sells them to a marketing agency?  Or a drone that uploads its captured footage not only to your social media accounts, but also to a foreign government’s servers?

This is not to say that IoT devices are “evil”, and should not be used.  They can provide significant value when used with due consideration of security, and full understanding of how any collected data is used.  But many people don’t think twice.  They assume that since they only paid $15 for a smart light bulb, or $60 for a security web camera, that their risk is limited to $15 and $60 respectively.  And that is far from the truth.