Most of the new IoT tech can be found in the home automation sector. Surveillance tech, smart doorbells, heating and air conditioning management systems, security systems, lighting, personal voice assistants and so on.
The numbers are staggering in regard to rolled out smart home devices and this is a highly profitable market with lots of room to grow.
Check out this report about the market size and growth forecast for IoT
No wonder that some of the stuff that's out there was made available in a more hasty manner with drawbacks in security.
No it's not just the thousands of surveillance tech gadgets you can buy for the cheap from China it's also some of the big guns that Amazon for instance bought to make considerable money in this market.
Blink (Surveillance cameras) and Ring (smart doorbells, surveillance cameras with 2 way audio, motion detection flood lights with surveillance camera and 2 way audio) two companies that were bought by Amazon for example showed a fair share in vulnerabilities already.
The Ring "always home" doorbell systems and surveillance tech made some hackers feel "at home" in homes of those that bought the rather pricey tech. Most recently there was this case of an US family that was shocked to see/hear that someone had hacked into their kids room surveillance camera. The hacker talked to their little daughter via the Ring surveillance cam and introduced himself as "Santa". Pretty disturbing! A spokesperson from Amazon denied that this was due to an vulnerability in their systems and speculated on an breached mobile device rather on which the "Ring always home" app was installed.
Especially in the home automation sector if one piece of IoT equipment is vulnerable the rest of the tech can possibly be attacked from this device as well.
So, were looking at an ever increasing size of attack surface with new tech being made available in the market at high speed.
What are the reasons for this increase in flaws, vulnerabilities with such tech?
Insufficient Testing and Updating
As already mentioned due to the high speed of development and roll out there might be not many, if any sufficient quality gates that such tech must pass. Another issue is the missing maintenance, patches for smart home devices or isolated home security tech.
Brute Force Attacks and Use of Default Passwords
It's the good old "default password" for example that is used by many IoT tech manufacturers. So it's in part on the user of such tech that might be just too lazy to chance the default admin password on his IoT tech but it's on the manufacturers also because they do not force a password change when setting up the tech for first use by the new owner.
Most prominent in that regard the "Mirai botnet" which is used in a few of the largest and disruptive DDoS attacks because of the named reasons above.
Data Security / Privacy Concerns
Posing some of the biggest challenges in today’s world data security and privacy are most important especially since we know that data is stored all the time, used and sent to the tech giants of our present. A wide range of these IoT devices are very chatty when it comes to submitting data to their "home".
The companies monetize on this data by selling it for ad targets or other purposes and so the big tech companies but also the smaller manufacturers of IoT tech have become also become "custodians" of our data.
Things that would help here like setting dedicated privacy rules and to redact the sensitive end user data before storing it and lastly disassociating IoT data payloads from the information that could can be used to identify us simply won't happen.
In some cases it's a question of investing the time into proper configuration settings of new IoT devices that the users don't spend on improving their security and privacy.
AI and Automation
This market will rapidly and massively expand in the coming years. Companies and private households have to deal with staggering numbers of such devices. The baffling amount of data that is collected and transferred by such tech will therefor also increase significantly. Maybe some AI driven security tech enables corporations/enterprises to identify and close open vulnerabilities on such tech by adjusting rules/config on such devices or in the network security tech.
But in your home your mostly left to your own device for such important tasks.
At the moment the it's simply the increase in complexity that makes it hard to effectively raise the security bars in the private as well as in the commercial sector.
So what can you do to improve your OpSec when opening the door of your home or commercial operation to IoT tech?
Use tech that is known for adequate quality and security!
Invest a moment or two to select manufacturers that cover their bases when it comes to information security. Drop the device that your considering to buy into your favorite web search, btw I hope you use DuckDuckGo.com ;-), before ordering to see if they maintain there products for instance.Read the manual and act accordingly!
Seriously there's no way around this! RTFM (read the f****** manual) and adjust the settings of your devices to not use a default password, limit the amount of data that is shared with the manufacturer of the device or app for the device, and to make sure that everything/everybody that want's to access your device ha to use encrypted sessions for instance (for example web interfaces on such devices, http = unencrypted, https = encrypted).Check if you really need a wide array of remote access possibilities for your devices!
If not needed close the "doors" to the devices on your router or firewall! I know, especially surveillance tech has it's biggest merit when you can access it remotely. But is it really necessary for you to access your HVAC stuff (heating, ventilation, air conditioning) from outside of your home/commercial building?Check for updates regularly!
Yes, make it an regular task to update all of your tech! This way you make sure that the newest updates, that possibly close open weaknesses and flaws on your devices, are installed on your tech.Reduce the data that is stored outside of your home/commercial building
Even if you have taken care of your local stuff to make it hard for an attacker to get a grip in your environment those third party risks exist out there! When a manufacturer or service provider is hacked/breached they could possibly get a hold of your data out there. Not letting it getting "out there" in the first place seems to be a smart strategy if applicable!Stale signatures on Windows devices
If you use an AV solution (anti virus), and you should at least have something in this regard on your Windows boxes (!!!), make sure that the anti virus signatures are updated regularly. When I write regularly here I don't mean like every week or month but a couple of times a day! Better solutions have hourly of even shorter update cycles of their av signatures.
Here some relatively recent publications about this field!
https://threatpost.com/amazon-blink-smart-camera-flaws/150962/
https://www.gravum.com/internet-of-things/top-10-iot-vulnerabilities-2019/
https://resources.infosecinstitute.com/the-top-ten-iot-vulnerabilities/
https://www.helpnetsecurity.com/2019/10/23/iot-ics-vulnerabilities/
So, what do you think?
Do you have home automation IoT devices installed in your home or corporation?
Are they set up in a secure manner and do you regularly update them?
Let me know down in the comments please!
Cheers!
Lucky
This is great article. You captured the essence very well. Ur explanation of the benefits and market potential of IoT and also the security vulnerability of the devices is crisp and interesting. I think that there needs to be more development in the security of IoT devices in order to attract the kind of widespread adoption that the technology deserves.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Hello @kryptarion,
thanks for your comment and compliment!
I agree 100%!
I've been looking into this over the years from different perspectives. In my day job in IT security, in my home and in a more general manner to keep up to date what is going on in the market.
What I found very disturbing is the fact that a lot of the IoT devices on the cheaper end, mostly from China, are riddled with flaws and vulnerabilities.
But what I also found to be very promising is how the ease of use, with acceptable security measures, has improved for some of the products especially in the HVAV sector. I just helped to set up a heating management systems for a neighbor and it was like a "wow" on the end user friendliness scale!
I even fired up my nessus afterwards to look into known vulnerabilties in his network and none of the newly installed IoT stuff ticked red flags... wish I could say the same thing for his Windows boxes and older ip surveillance cameras! I think he's still updating now and two of his China cams went straight to the bin after I've showed him that I could access these within seconds... Hahaha!
Cheers!
Lucky
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
That a criminal has talked to an infant, posing as Santa, is quite disturbing. Besides worrying if he did it for the realization of a subsequent crime, I think they saw somewhere an idea for an argument of a chapter of a TV series in which a Hacker infiltrated a domestic network and spoke to the girl of the home to do small things as part of a game with his doll, a piece of technology that communicated with the internet to download songs and the latest updates from the manufacturer. In the story, the criminal got the little girl to leave a vulnerability in the security of the house and he took advantage of it to enter, gain physical access to the system and then extort the family with its secrets.
Well, that was a fiction thing, but the idea is not taken away from me that at present what was a story has a great chance of happening.
I also think now, the automation of houses, that of Domotics, and that of vehicles, aimed at being "Driverless", can be a double-edged sword, on the one hand it can facilitate people's lives and support for having greater security, comfort and quality of life ... but, it can also cause vulnerabilities, but not only those that would be caused by hackers and criminal organizations, but also potential violations of privacy by governments and organizations.
I close this comment quite long, pointing out that your advice is very practical and I think they are good rules to reduce the chances of intruders and other problems.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit