The growth of the Internet of Things is happening so fast that security is just an afterthought, or in some cases, completely ignored.
Manufacturers don’t prioritize it, consumers don’t demand it and regulators seem to be waiting for bigger disasters than the Mirai botnet — which led to the largest denial of service attack on the internet ever thanks mostly to insecure IoT devices — before taking any substantive action. Perhaps there’s a sense that Internet of the Things will adapt the lessons we’ve learned from securing PCs, similar to how mobile device ecosystems have developed.
Unfortunately, this doesn’t seem to be happening.
So F-Secure Principal Security Consultant and master Red Teamer Tom Van de Wiele wants to bust some myths about internet of things security. Keep these in mind while you’re installing connected devices in your homes.
1. All these great features benefit you!
“Many of the features manufactures are adding to their connected home assistance systems, automated robotic lawnmowers, light bulbs, ovens or thermostats are not for the consumer’s benefit, at least not exclusively,” Tom told me. “They’re there mostly to monetize the metadata created by using the item.”
By using these devices you’re feeding some company somewhere in the world endless data about you without realizing it.
“For instance, they know when you are home, when you take vacations, how many people are in the house and how big your family is.”
Many customers would gladly trade that data in return for the increased quality of life, Tom argues. But customers aren’t really aware of the deal they’re making.
“That data that might leak 2, 5 or 10 years from now and the consumer has no control over it. And they’re never informed that this sort of leak is possible.”
On top of this, the data might become available to secondary markets, where this metadata could be used in targeted ads based on correlations between data points collected from the privacy of user’s homes.
“Sure, this isn’t happening today,” he said. “But it will happen eventually, if we do not take steps to prevent the leaking of metadata on a technical level along with legislation to prevent illegal correlation.”
2. We will support this product for life!
“When IoT vendors say they offer ‘support for life,’ they never clarify exactly whose life,” Tom said. “The box the product comes in never mentions that its underlying technologies might not last longer than five years depending on the feature sets. Android-heavy devices rely on the infrastructure and APIs of Google to (1) still be there and (2) be there in an unmodified way, as the devices can usually not update to newer versions and thus they might break.”
Why don’t they mention this? Obviously, it doesn’t help sales. They don’t want you to think about any potential dangers that can come when that product has been phased out or reaches the end of its service.
“Your neighbors notice when you don’t mow your lawn — and so do opportunistic burglars,” he said. “Unfortunately that visibility does not exist in the online or hardware world, where the metaphorical grass can be downright jungle-sized, just waiting for someone to take advantage of it.”
3. You can trust us!
“Generally, the vendor buys from the cheapest manufacturers who buy from the cheapest manufacturers themselves,” Tom said. “There are very few requirements when it comes to security or updates. Most use open source technology but they don’t advertise that fact or provide upgrade paths.”
This software may have vulnerabilities that have not and will never be updated. And there’s no one checking to make sure those patches are ever applied.
Even if the product is completely secure, you’re still placing access to your home or office in the hands of the maker of your connected device.
“Nobody would buy a car with a secret skeleton key available to the world,”Tom said. “Sure the vendor will have the key, but do you trust the vendor?”
Anything that’s called “smart” is vulnerable.
So change the default passwords on all your devices, stick to trusted manufacturers and consider securing all your devices with F-Secure SENSE, which combines a security router, an advanced security app and industry-leading cloud protection to protect all the internet-connected devices in your home.
To commemorate F-Secure’s 30th year of innovation, we’re profiling 30 of our fellows from our more than…
August 16, 2018