IoT gadgets dominate the holiday sales - and so do their security risks

(Image credit: Pixabay)

The annual retail conventions of Black Friday and Cyber Monday have long had a tradition of drumming up the latest tech products ahead of Christmas. Internet of Things (IoT) enabled products have become an increasingly popular mainstay of the sales rush, including virtual home assistants, wearable tech, smart toys and connected appliances.

However, as these connected products continue to dominate the holiday sales scene, they are also highlighting longstanding security concerns with IoT devices. Products are often found to be lacking even basic security safeguards, potentially exposing users to privacy invasions, cyberattacks, and even physical danger. 

Those who splurged on IoT-enabled devices in this year’s sales will need to be aware of potential new security threats against themselves and their employers.

About the author

Richard Hughes is Head of Technical Cyber Security at A&O IT Group 

How weak IoT security invites hackers into the home

IoT security vulnerabilities are extremely common, and our own investigators have found major flaws in everything from kettles to sex toys. There has been a steady cadence of IoT security breaches making the headlines over the last few years, including both the discovery of potential vulnerabilities and cases of actual exploitation.

One of the most prominent recent examples has been the Ring smart doorbell produced by Amazon. The device is ostensibly designed to help users with home security, enabling them to remotely access video and audio feeds from their smartphone, as well as receiving alerts when they have a visitor.

However, it quickly became apparent that Ring was lacking several important security features. The device is controlled by a mobile app but did not set any limits on incorrect login attempts or notify users when there was a failed attempt or a successful login from a new location or device. This meant it was straight forward for a threat actor to brute force their way into the user’s account and connect to the device. There were multiple examples of Ring devices being hijacked to spy on households, as well as the speaker function being used to harass and threaten people with physical violence. Connecting to a Ring device also enabled attackers to gain useful Wi-Fi information to facilitate further attacks.

Ring’s manufacturers were quick to respond and have updated the software to patch out these vulnerabilities. However, it’s worth noting that there are many other brands of smart doorbell available, and not every manufacturer is diligent about closing reported vulnerabilities.

How can IoT devices be exploited?

IoT devices are a natural bridge between the cyber and physical worlds, which means they have a distinct risk profile compared to a traditional endpoint. Unlike a hacked laptop or smartphone, many IoT devices can actually be used to perform physical actions.

The form and severity of risk this represents depends greatly on the device’s function. Many IoT devices such as fridges and toothbrushes are physically harmless. On the other hand, a connected kettle for example could be remotely triggered to dry boil, potentially starting a fire.

Any device that is involved in physical security poses an obvious and direct threat if it is compromised. As we have seen with Ring, unsecured surveillance devices can be hijacked to enable visual and audio spying and connected locks could also be compromised to gain entry to a building.

Any other kind of connected device that has recording capabilities can also be used to breach privacy if it is compromised, from a hub device to a seemingly harmless child’s toy.

Even if the device itself lacks direct surveillance abilities, it can still be used to covertly monitor a household and provide criminals with intelligence. A smart thermostat for example will provide plenty of data that will indicate when the premises is likely to be empty and therefore vulnerable to burglary.

Alongside the exploitation of their unique attributes, all poorly secured IoT devices also offer an easy attack path to gain access to the building’s network. Attackers can use the connected device as a jumping off point to the router and can then begin moving laterally to any other connected devices on the network. As with Ring, some IoT devices make things even easier by enabling attackers to effortlessly access information about the Wi-Fi network.

IoT devices often fail to follow best practice for security, failing to encrypt data, and not requiring users to change the default login credentials or apply security updates. Indeed, applying patches is often quite difficult for many devices.

From a consumer perspective this obviously puts individuals at risk of major attacks against their other personal devices, but it also represents a business risk as attackers could compromise any corporate devices being used on the home network.

Although they are less likely to have had a Black Friday gadget shopping spree, businesses are also at risk of this threat directly if they have any IoT devices on premises, such as security cameras and smart sensors for lighting.

Why does IoT struggle with security?

Despite widespread concern from the security sector and a growing number of high-profile breaches making the headlines, the overall standard security for IoT devices remains poor compared to traditional endpoints. There are a number of factors contributing to these on-going issues.

First and foremost is that pricing is a huge barrier to adequate security. Manufacturers are generally competing with the normal version of whatever they are making, so products like smart appliances and toys cannot be priced too far above the standard product.

Accordingly, smart devices are usually built using very low-end components, generally using cheap processing chips sourced from China. These chips are too low powered to handle cryptographic processes, so data is simply not encrypted.

Aside from physical limitations, security testing is still often regarded as an expensive and time-consuming extra that can be skipped to keep the price point low. This is especially true when manufacturers are aiming to get their product out in time for the holiday sales period. Compounding this, many smart devices are the result of manufacturers looking to branch out into IoT, so security is neither a speciality nor a priority. Likewise, while awareness is growing, security is still not an important selling point for the average consumer.

How can security flaws be handled?

IoT is a relatively new field of technology and it always takes time for good manufacturing and development standards to take hold. We have yet to reach the point of specific legal regulations for connected devices in the same way we have the GDPR for broader data protection, but there has been some progress in this direction.

The ETSI Technical Committee recently launched a new baseline standard for consumer IoT security, but this is still guidance rather than an enforceable law. The UK is likewise currently planning new standards for connected devices.

Key points in both cases include preventing users from using common or factory default user credentials and providing clear information on update patch support. Actions like this will certainly help close some of the most obvious vulnerabilities currently present in IoT devices, but we will need to see manufacturers go beyond the basics to secure their products.

This means thorough security testing before products are released, as well as the use of higher spec chips and other components to facilitate security elements like encryption. As discussed however, these are unlikely to become standard features in a market that is dominated by price points. While some products might treat security as a selling point, there will be a large number of cheaper products that skip on security. Until there are enforceable laws for security standards, most consumers will continue to likewise look past security if it means a lower price.

In the meantime, anyone purchasing an IoT device in the holiday sales and beyond should take some time to look into its security credentials and weigh the potential risks of a compromise. This is more important than ever as more people work from home and connect their corporate devices to the same networks as potential vulnerable smart gadgets.

Richard Hughes is Head of Technical Cyber Security at A&O IT Group