According to a new report (“State of IoT Security”), so-called “smart” devices might not be so smart after all. The report from Pepper IoT and Dark Cubed detailed a wide variety of security issues and privacy flaws in common Internet of Things (IoT) devices, including some cases where devices such as smart light bulbs were communicating personal data and information to third-party companies in China. The major conclusion of the report is that both retailers and manufacturers need to be taking comprehensive new steps to resolve these IoT security and privacy issues.
Key findings of the report on IoT security and privacy
As Pepper noted in its report, just because the smart device space is complex and fast developing, there is “no excuse” for companies not to be doing more to guarantee IoT security and privacy. The report specifically looked at 12 different off-the-shelf IoT smart home devices from brands such as Guardzilla, iHome, Merkury, Vivitar, Wyze, Zmodo, Momentum, and Oco. The list of retailers where these devices were purchased included Walmart, Best Buy and Amazon – basically, the three biggest retailers in the U.S. where American consumers would be most likely to purchase these IoT devices.
And, yet, despite the comfort level that customers might have when buying from these stores, the products turned out to be almost embarrassingly weak when it came to protecting IoT security and privacy. In the base case scenario, the security failures included lack of data encryption, missing encryption certificate validations, and data that is often collected and transmitted between devices and apps without any safeguards in place.
In one particularly egregious case, a Merkury smart light bulb that had only one function (to turn on and off) also required the installation of a Merkury smartphone app that tracked location data, recorded audio, and accessed the storage on the phone. Moreover, what was particularly worrisome was the fact that the Merkury app had hard coded links back to 40 different third-party websites, including a number of Chinese tech companies (e.g. Alibaba, Taobao, Weibo).
China’s role in the Internet of Things
In the report, Pepper specifically called out China’s role in the Internet of Things. Many of the consumer tech brands currently selling IoT devices in the U.S. marketplace have strong ties back to China, and that naturally raises questions about how exactly any personal information acquired by smart devices as part of their data collection might be used without user consent. In an era of Big Data and real-time communication, there are now very real concerns about the amounts of data being shared and collected.
In some cases, the relationship with China might be benign, as in simply giving a user the ability to post about his or her amazing smart device experience on a social media platform like Weibo (China’s version of Twitter). However, there is a darker alternative scenario: the Chinese government may be using its tech firms as a “backdoor” to spy on everyday Americans. That concern is at the root of the dispute over Chinese telecom firm Huawei, which is accused of spying and conduct cyber-espionage in the United States.
Recommendations on IoT security and privacy
It’s perhaps no surprise, then, that one of the recommendations in the report on IoT security and privacy was that consumers should purchase smart devices that transmit data over communication networks that are managed by a trusted and regulated U.S. company. For example, if you currently use an AT&T smartphone, you might want to think about buying smart devices that transmit data over AT&T networks.
The Pepper report on IoT security and privacy also specifically noted that the focus of the consumer should not just be on device security, but also on the security of the entire platform. If that platform is managed by an offshore vendor (e.g. China), then it could be the case that your data is not nearly as protected as you might assume.
The report on IoT security and privacy also noted that patching will not fix “systemic” problems. Instead, security and privacy must be built into the device from Day 1. Thus, if a device is designed on a platform that does not fully utilize encryption, there is very little good that a new security patch is going to do.
Finally, Pepper made clear that the overall market must make security a priority. Not just device manufacturers, but also retailers and government entities, must take a much closer look at IoT security and privacy. As Pepper noted in its report, “Manufacturers and retailers are likely not even considering security at all.”
Security concerns about the Internet of Things
The need to take IoT security and privacy more seriously is especially valid now that consumer items like voice-controlled personal assistants, interactive doorbells and remote-controlled light bulbs are growing in popularity within the consumer technology space. For example, one estimate is that by the year 2020, there will be over 28 billion “things” connected to the Internet – ranging from smartphones and laptops to doorbells and light bulbs. Tech giant Cisco, for example, refers to this phenomenon as the “Internet of Everything.”
The major concern, of course, is that all of these new devices hooked up to the Internet could be a nightmare for any IoT security and privacy firm, introducing new attack vectors for hackers, cyber-criminals and rogue actors. For example, medical devices hooked up to the Internet could be used to cause bodily harm (as in the oft-discussed example of terrorists being able to carry out assassination attempts by causing heart attacks in victims). In other cases, connected devices like toys might be used to spy on children, while trusted home devices such as security systems might be used for all forms of cyber attacks, including vast botnet attacks involving tens of thousands of devices at one time. A connected car might be the victim of hackers taking over the navigation and steering system of the car.
The lesson is clear: IoT device manufacturers must be doing more to consider all of these possible scenarios, rather than simply relying on consumers to protect themselves with their own security measures. If not, they could be facing more legislative and regulatory oversight. California, for example, passed new legislation at the end of 2018 that now mandates unique passwords for connected devices, thereby removing the possibility that hackers could simply use default passwords to hack into these devices.
With billions of devices still waiting to be hooked up to the Internet between now and 2020, the hope is that device manufacturers and retailers will finally wake up to the many IoT security and privacy issues these devices have created.