As the popularity of “smart homes” increases, new research continues to find concerns about the use of IoT (Internet of Things).
The culture of bringing internet-connected devices into homes is fraught with misunderstandings by consumers and organizations. Internet-connected “smart devices” ARE going to continue to become more prevalent in homes and at work so the sooner consumers become “smart buyers,” the more likely they are to avoid being hacked.
Ironically, “smart” speakers get criticized and suspected of allowing some kind of big brother to listen in on family conversations, while far more insecure systems like home computers, WiFi routers and internet browsing to click-bait websites go under the radar. Even more ironic is that many home security devices such as internet-connected security cameras have some of the most serious security flaws.
Let’s take a brief look at some of the common flaws in IoT devices used in many homes and businesses and also look at some new research that makes home security systems even more vulnerable than previously thought.
The most well-known security issue with IoT devices is leaving in place the default settings of WiFi routers and other equipment. There is a limit to what we can expect consumers to do when buying off-the-shelf smart home devices; therefore much of the responsibility of having good default settings must fall to the manufacturers.
Some IoT manufacturers are doing a great job of providing good security defaults, but they are still a minority in the overall market. Since consumers are unlikely to evaluate defaults when making a purchase, market forces cannot really be brought to bear in helping clean up the marketplace. An industry-sponsored seal of approval might go a long way to educate consumers, especially if the standard(s) are reliable and fair.
Even with very well made systems, eventually flaws are found. If an IoT device supports a good system of updating firmware, these risks can be addressed. Like with the topic of default settings, no obvious industry guidance exists for consumers. Many IOT devices don’t even have the capability for firmware updates and those that do often have no means of letting a user know that it is no longer supported for new updates.
A certification system like a UL Labs stamp of approval for devices with updatable firmware, end of support notices and secure defaults could be employed to provide an avenue for legislation that would force at least some level of consumer protection on IoT devices.
Home Security IoT
WiFi motion detection cameras and other small business and home alarms are becoming very popular. In addition to the common flaws already addressed in this article, researchers at the North Carolina State University have found some additional flaws that affect most IoT devices but are of particular concern for home security devices.
Most IoT devices assume that they have been connected to a secure network. If a network has devices attached to it that are infected with malware, heartbeat notices and alerts could be redirected, blocked or copied. Heartbeats are “check in” notices that IoT devices send to mobile device apps or security management software. This kind of attack could send messages to security management software or mobile phone apps saying that everything is OK when actually a break in is happening. If the heartbeats are redirected, evil hackers could automatically case a location to determine the best time to break in.
The good news is that software fixes are possible for these heartbeat exploits, but it’s up to the IoT manufactures to incorporate them into their products and hopefully let educated buyers know this has been done.
Until that time you can do some simple things to help reduce risk. Use a simple IoT security checklist and in particular for IoT security devices, look for software that lists how many people or devices subscribe to the alerts it gives. Here are some other questions to ask:
Starter Check List
- Does the IoT device allow you to change the default settings like admin/configuration accounts?
- Did an internet search on the company’s reputation for security raise any red flags?
- Does the device have a method for updating its firmware?
- Are you able to connect the security device to a network that does not contain devices that are commonly infected with malware such as improperly configured internet routers, personal computers or unevaluated IoT devices?
- Are you willing to do a security check up on your IoT devices on a reoccurring schedule such as monthly or quarterly to search for flaws and to install any new updates?
While this starter check list will not guarantee an unhackable IoT device, it will go a long way to reduce the chances of your IoT devices being compromised or being used to compromise other network components.
If you own or manage an organization, it would be a very good idea to have an annual risk assessment done by a professional. Such risk assessments can range from an informal checkup to an in-depth inspection of all aspects of your organization’s networks. Having an assessment not only gives you a professional level inspection but also frees up your time. As businesses are now being graded by their security reputations, it is now also a competitive advantage to be able to publicly state you have passed an industry accepted best practice in information security.
To keep up-to-date on important IoT security issues please check back regularly on this blog series.