The Internet of Things (IoT) is continuing to gain traction with an ever-increasing number of connected devices coming to market. But as tech-savvy consumers begin investing in their first devices for a connected home, what is to stop them becoming a cyber attacker’s next target?
While still uncommon, we know that cyber attackers are going after connected consumer devices, demonstrated on a massive scale by the group of Russian hackers who published thousands of live-streaming webcam footage from over 250 countries.
Unless the manufacturers of connected devices take a holistic approach to bolstering their cyber security efforts, these types of attacks will increase in number.
To gain a greater understanding of the cyber security risks that consumers could be exposing themselves to, research was conducted into the cyber security posture of six ‘always-on’ consumer IoT devices. The results were unsettling.
Veracode carried out a set of uniform tests across all the devices and found that all but one exhibited application-related vulnerabilities across web, mobile and cloud services.
Exploiting these vulnerabilities could enable cyber attackers to do a wide variety of things, from running spyware to monitoring all information monitored and even complete control of the device itself. It’s clear these devices were not designed with cyber security in mind.
Where designers are not prioritising cyber security or privacy, they are putting consumers at risk of a cyber attack or physical intrusion. For example, the information leveraged from anUbi – a WiFi connected, voice-operated computer that allows for hands-free voice interaction in your home – could be used by a criminal to determine exactly when the user is likely to be home, potentially facilitating a robbery or even stalking.
Alternatively, cyber security vulnerabilities within a Wink Relay device – which controls lights, heating and even door locks – could allow a criminal to turn on the microphones and listen to any conversations within ear shot of the device, supporting blackmail efforts or capturing corporate intelligence from anyone working in a home office.
Security not a priority to manufacturers
It is not surprising that cyber security hasn’t been prioritised in the production of these devices when considering their lifespan. According to a recent CE Product Lifecycle Study, consumers expect to replace their electronics every five years.
This means that for many manufacturers, the focus is largely on developing the next ‘killer feature’ that makes a consumer’s life easier to stay competitive and acquire a healthy stream of new customers.
Since the average consumer thinks cyber security is an internet issue, cyber security just isn’t a high priority for home automation device manufacturers.
Like any emerging technology, the perceived risk relates to the volume of devices on the market. While there are far greater cyber security risks towards more lucrative targets, such as mobile banking, e-commerce and healthcare self-service applications, there is certainly a growing risk posed by IoT devices.
We may see specific attacks on high-profile targets, such as celebrities and politicians whose information is already of value due to their status. For example, last year the iCloud accounts of celebrities, including Jessica Lawrence and Kim Kardashian, were specifically targeted to leak intimate information and pictures.
What does all this mean for consumers who have bought or are looking to buy connected devices? Buyers need to be aware that these devices come with cyber security risk and should take this into account when choosing what to purchase. Look at the track record of the company who manufactures the product.
While cyber security is on every consumer’s mind today, most don’t view home automation technology as a serious threat. After all, why would anyone care what temperature you like the living room set to or if you dim your bedroom lights after dinner?
Everyone must start thinking like a cyber attacker and understand that all information has value to someone. For example, ransomware or cryptolocker-style attacks on PCs are already a common nuisance – locking files or access to your PC altogether until you pay a ransom to regain access.
What’s the impact of such an attack on a home automation device that leads to, “I won’t turn your central heating back on until you wire me £1,000?”
While consumers need to be vigilant about the risk of technology in their home, manufacturers need to do a better job of securing their IoT products.
Holistic examination of the cyber security of all IoT devices is essential, including device architecture as well as associated web and mobile applications, and supporting cloud services.
These manufacturers have a responsibility to take steps to minimise the risk of losing users’ sensitive data and to mitigate any risk to the consumers’ physical safety.
While consumers might not be feeling the full effects of these IoT risks now, they should join the cyber security industry in putting pressure on manufacturers to do their upmost to ensure that these cases never arise.
Sourced from Chris Wysopal, Veracode