Internet of Threats: the risks in the pursuit of the connected home

The Internet of Things (IoT) is continuing to gain traction with an ever-increasing number of connected devices coming to market. But as tech-savvy consumers begin investing in their first devices for a connected home, what is to stop them becoming a cyber attacker’s next target?

While still uncommon, we know that cyber attackers are going after connected consumer devices, demonstrated on a massive scale by the group of Russian hackers who published thousands of live-streaming webcam footage from over 250 countries.

Unless the manufacturers of connected devices take a holistic approach to bolstering their cyber security efforts, these types of attacks will increase in number.

>See also: Why the Internet of Things is more than just a smart fridge

To gain a greater understanding of the cyber security risks that consumers could be exposing themselves to, research was conducted into the cyber security posture of six ‘always-on’ consumer IoT devices. The results were unsettling.

Veracode carried out a set of uniform tests across all the devices and found that all but one exhibited application-related vulnerabilities across web, mobile and cloud services.

Exploiting these vulnerabilities could enable cyber attackers to do a wide variety of things, from running spyware to monitoring all information monitored and even complete control of the device itself. It’s clear these devices were not designed with cyber security in mind.

Where designers are not prioritising cyber security or privacy, they are putting consumers at risk of a cyber attack or physical intrusion. For example, the information leveraged from anUbi – a WiFi connected, voice-operated computer that allows for hands-free voice interaction in your home – could be used by a criminal to determine exactly when the user is likely to be home, potentially facilitating a robbery or even stalking.

Alternatively, cyber security vulnerabilities within a Wink Relay device – which controls lights, heating and even door locks – could allow a criminal to turn on the microphones and listen to any conversations within ear shot of the device, supporting blackmail efforts or capturing corporate intelligence from anyone working in a home office.

Security not a priority to manufacturers

It is not surprising that cyber security hasn’t been prioritised in the production of these devices when considering their lifespan. According to a recent CE Product Lifecycle Study, consumers expect to replace their electronics every five years.

This means that for many manufacturers, the focus is largely on developing the next ‘killer feature’ that makes a consumer’s life easier to stay competitive and acquire a healthy stream of new customers.

>See also: Device security must be at the heart of Internet of Things development

Since the average consumer thinks cyber security is an internet issue, cyber security just isn’t a high priority for home automation device manufacturers.

Like any emerging technology, the perceived risk relates to the volume of devices on the market. While there are far greater cyber security risks towards more lucrative targets, such as mobile banking, e-commerce and healthcare self-service applications, there is certainly a growing risk posed by IoT devices.

We may see specific attacks on high-profile targets, such as celebrities and politicians whose information is already of value due to their status. For example, last year the iCloud accounts of celebrities, including Jessica Lawrence and Kim Kardashian, were specifically targeted to leak intimate information and pictures.

What does all this mean for consumers who have bought or are looking to buy connected devices? Buyers need to be aware that these devices come with cyber security risk and should take this into account when choosing what to purchase. Look at the track record of the company who manufactures the product.

Tomorrow’s threat

While cyber security is on every consumer’s mind today, most don’t view home automation technology as a serious threat. After all, why would anyone care what temperature you like the living room set to or if you dim your bedroom lights after dinner?

Everyone must start thinking like a cyber attacker and understand that all information has value to someone. For example, ransomware or cryptolocker-style attacks on PCs are already a common nuisance – locking files or access to your PC altogether until you pay a ransom to regain access.

What’s the impact of such an attack on a home automation device that leads to, “I won’t turn your central heating back on until you wire me £1,000?”

While consumers need to be vigilant about the risk of technology in their home, manufacturers need to do a better job of securing their IoT products.

>See also: Making the Internet of Things a business reality

Holistic examination of the cyber security of all IoT devices is essential, including device architecture as well as associated web and mobile applications, and supporting cloud services.

These manufacturers have a responsibility to take steps to minimise the risk of losing users’ sensitive data and to mitigate any risk to the consumers’ physical safety.

While consumers might not be feeling the full effects of these IoT risks now, they should join the cyber security industry in putting pressure on manufacturers to do their upmost to ensure that these cases never arise.

 

Sourced from Chris Wysopal, Veracode

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Connected Devices