Narrative: IoT Security Threats
Each narrative page (like this) has a page describing and evaluating the narrative, followed by all the posts on the site tagged with that narrative. Scroll down beyond the introduction to see the posts.
Narrative: IoT Security Threats (Jan 24, 2017)
This content is restricted to paid subscribers to the Tech Narratives service. You can sign up on this page for a 30-day free trial, which will give you access to all the content on the site including the daily comments, narrative essays, subscriber forums, and other restricted features. If you’re already a subscriber, you can sign in using the link below.
If you’re already a member, you can sign in here.
Whereas the CIA / Wikileaks stories about Samsung smart TVs being hacked were somewhat overblown (they largely affected older TVs and required physical access to sets), this hack is more worrying because it would affect newer TVs and could be delivered remotely. However, for any kind of widespread effect, it would require hacking into a broadcast or IPTV stream, which in itself would be no mean feat, and of course would only work on TVs that happened to be accessing that stream during the time when it was compromised. Still, the broader worry here is, once again, that any device connected to the internet is at least theoretically vulnerable to hacking, and devices such as TVs with less sophisticated security systems than computers and smartphones are often the most vulnerable and hardest to patch.
This isn’t the worst example yet of an IoT / smart home vulnerability, but it’s bad enough, given that it allows burglars to defeat a security system if they happen to know how. More worrying, it appears the researcher who discovered the vulnerability shared findings with Nest back in October, but Nest didn’t notify customers or push out a patch until now, when it says it has a fix rolling out to customers soon. The more of these devices we have in our homes, the more potential points of vulnerability there will be for hacking of one kind or another, and makers of both systems and ecosystems need to bake really tight security in from the get-go to prevent as many of them as possible.
via The Register
It turns out Vizio has been collecting extremely granular data on users of its smart TVs, and then matching its IP data with offline data about individuals and households (essentially everything short of actual names). And it’s done all this without making users properly aware that this was what it was doing. The data related to everything consumers watched on the TVs, whether the content came through Vizio’s own smart TV apps or merely through one of its inputs from another box or antenna. Something I’d forgotten was that Vizio filed an S-1 in preparation to go public back in 2015 – it never actually went public because Chinese player LeEco decided to acquire them (a deal due to close shortly). Aside from talking about how many TVs the company sells, the S-1 makes a big deal of of the “up to 100 billion viewing data points daily” it collects from 8 million TVs, and touts its InScape data services, which package up this data for advertisers, although it says this data is “anonymized”, which feels like an alternative fact at this point. The risk factors in the filing even mention possible regulatory threats to such data gathering, so it’s probably fair to say that Vizio shared more information with its potential investors about the data it was collecting than it did with end users. To settle the case, Vizio has to pay a total of $3.7m in fines to the FTC and the state of New Jersey (whose AG brought the suit with the FTC), discontinue the practice, and disclose it to consumers. I can’t wait to see how it manages that last point – imagine turning on your Vizio TV one day and seeing a message pop up about the fact that it’s been tracking your every pixel for the last several years. Assuming that’s done right, it could be the most damaging part of it this for Vizio, which made over $3 billion in revenue in its most recently reported financial years. Meanwhile, yet another headache for LeEco to manage.
The specifics of this story aren’t as important as the trend that’s emerging ever more clearly – almost any device that’s connected to the Internet is potentially susceptible to hacking, and the more critical the device’s intended function is, the more serious any potential breach can be – in this case, life threatening. The challenge is that most of these devices – along with cheap web cams and many others – were not designed with watertight security built in, and it’s almost impossible to add that on after the fact. So we’ll see lots more of these stories in the coming years, which will put off potential customers, while giving an advantage to IoT and smart home vendors who prioritize security.
This is yet another story about IoT security, and the many vulnerabilities that exist in a variety of connected devices in the home. The difference this time around is that this isn’t some low-cost Chinese vendor, but D-Link – one of the larger router manufacturers, and the FTC claims its gear suffers from some of the same basic flaws that enabled the Mirai botnet attack a while back. We could still see far worse attacks taking advantage of these vulnerabilities, and with the growth of home automation gear there will be even more attack vectors. All this makes it even more important that those selling connected gear from the home bake in really serious security protections and educate users on the risks.