Narrative: IoT Security Threats
Each narrative page (like this) has a page describing and evaluating the narrative, followed by all the posts on the site tagged with that narrative. Scroll down beyond the introduction to see the posts.
Narrative: IoT Security Threats (Jan 24, 2017)
Written: January 24, 2017
The last few years have seen a proliferation of “smart” devices of every imaginable kind – smart toasters, smart ovens, smart thermostats, smart lights, smart outlets, smart garage door openers – you name it. What makes these devices smart? Two things: an Internet connection, and just enough computing power to be controlled from a smartphone app. Essentially, these new items are all Internet-connected computers, which means they have the potential to be hacked the same as any other Internet-connected computer, especially if they feature lax security.
As it turns out, that’s precisely what many of them do feature, and we’ve now seen evidence both that individual devices can be hacked with malicious intent, and that whole networks of these devices can be taken over en masse and repurposed as part of distributed denial of service attacks and other nefarious activities. The additional problem is that many of them, though smart enough to be hackable, aren’t smart enough to be reprogrammable with better security, so once they’re installed there’s really not much that can be done to fix the security vulnerabilities short of shutting them down entirely.
In theory, though, there’s nothing about IoT devices that makes them inherently less secure than any other computer – it’s the level of security manufacturers and other ecosystem players choose to imbue them with that matters, just as an unsecured PC without a firewall or antivirus program installed is eventually likely to be compromised. The better IoT vendors will install security precautions of various kinds to ensure their devices can’t be compromised in this way, and smart consumers will buy those products. But many IoT devices – including the security cameras involved in the Mirai attacks – aren’t bought by discerning consumers but by corporate procurement departments looking to score the best deal on gear they buy in bulk.
Both IoT vendors and buyers of the gear need to take these issues more seriously, especially when it comes to equipment that can be used to hurt people (such as medical equipment). Routers and other gear which networks these devices also need to provide better security, as the FTC has recently argued by filing suit against D-Link. But in the meantime, we’re going to see lots more stories about home automation gear, medical equipment, and a whole set of other IoT devices being hacked and compromised.
Whereas the CIA / Wikileaks stories about Samsung smart TVs being hacked were somewhat overblown (they largely affected older TVs and required physical access to sets), this hack is more worrying because it would affect newer TVs and could be delivered remotely. However, for any kind of widespread effect, it would require hacking into a broadcast or IPTV stream, which in itself would be no mean feat, and of course would only work on TVs that happened to be accessing that stream during the time when it was compromised. Still, the broader worry here is, once again, that any device connected to the internet is at least theoretically vulnerable to hacking, and devices such as TVs with less sophisticated security systems than computers and smartphones are often the most vulnerable and hardest to patch.
This isn’t the worst example yet of an IoT / smart home vulnerability, but it’s bad enough, given that it allows burglars to defeat a security system if they happen to know how. More worrying, it appears the researcher who discovered the vulnerability shared findings with Nest back in October, but Nest didn’t notify customers or push out a patch until now, when it says it has a fix rolling out to customers soon. The more of these devices we have in our homes, the more potential points of vulnerability there will be for hacking of one kind or another, and makers of both systems and ecosystems need to bake really tight security in from the get-go to prevent as many of them as possible.
via The Register
It turns out Vizio has been collecting extremely granular data on users of its smart TVs, and then matching its IP data with offline data about individuals and households (essentially everything short of actual names). And it’s done all this without making users properly aware that this was what it was doing. The data related to everything consumers watched on the TVs, whether the content came through Vizio’s own smart TV apps or merely through one of its inputs from another box or antenna. Something I’d forgotten was that Vizio filed an S-1 in preparation to go public back in 2015 – it never actually went public because Chinese player LeEco decided to acquire them (a deal due to close shortly). Aside from talking about how many TVs the company sells, the S-1 makes a big deal of of the “up to 100 billion viewing data points daily” it collects from 8 million TVs, and touts its InScape data services, which package up this data for advertisers, although it says this data is “anonymized”, which feels like an alternative fact at this point. The risk factors in the filing even mention possible regulatory threats to such data gathering, so it’s probably fair to say that Vizio shared more information with its potential investors about the data it was collecting than it did with end users. To settle the case, Vizio has to pay a total of $3.7m in fines to the FTC and the state of New Jersey (whose AG brought the suit with the FTC), discontinue the practice, and disclose it to consumers. I can’t wait to see how it manages that last point – imagine turning on your Vizio TV one day and seeing a message pop up about the fact that it’s been tracking your every pixel for the last several years. Assuming that’s done right, it could be the most damaging part of it this for Vizio, which made over $3 billion in revenue in its most recently reported financial years. Meanwhile, yet another headache for LeEco to manage.
The specifics of this story aren’t as important as the trend that’s emerging ever more clearly – almost any device that’s connected to the Internet is potentially susceptible to hacking, and the more critical the device’s intended function is, the more serious any potential breach can be – in this case, life threatening. The challenge is that most of these devices – along with cheap web cams and many others – were not designed with watertight security built in, and it’s almost impossible to add that on after the fact. So we’ll see lots more of these stories in the coming years, which will put off potential customers, while giving an advantage to IoT and smart home vendors who prioritize security.
This is yet another story about IoT security, and the many vulnerabilities that exist in a variety of connected devices in the home. The difference this time around is that this isn’t some low-cost Chinese vendor, but D-Link – one of the larger router manufacturers, and the FTC claims its gear suffers from some of the same basic flaws that enabled the Mirai botnet attack a while back. We could still see far worse attacks taking advantage of these vulnerabilities, and with the growth of home automation gear there will be even more attack vectors. All this makes it even more important that those selling connected gear from the home bake in really serious security protections and educate users on the risks.