With the Consumer Electronics Show (CES) afoot this week, headlines are crammed with the offbeat connected products from the show – including everything from a smart belt all the way down to a connected toilet.
But one important topic seems to be missing from the troves of CES news (and even from the webpages describing these devices) – how secure are these new IoT products?
For infosec experts specializing in connected devices, unfortunately the missing security piece is nothing new at the show.
“Unfortunately, the new devices launched at CES present security issues for users, mostly because manufacturers have a ‘connectivity first, security second’ development approach,” Yevgeny Dibrov, CEO of Armis, told Threatpost. “These new devices are exciting, and the likely reality is that they’ll follow the tradition of connected devices, and will lack security.”
The buzz continues to grow around connected devices, particularly spurred by voice assistants soaring in popularity. Global spending on IoT is set to hit a whopping $1.2 trillion in 2022, according to market research firm IDC. However many of these devices are still being built with little to no security in mind.
A review of the product information for the gizmos displayed at CES don’t detail the measures taken to secure data. None that Threatpost spotted, even mention the term “security” in their descriptions or on their websites describing them (take the Mui Smart Display, a surface of wood that displays visual data and has Google Assistant built in).
“There is a lot going on in CES, with a strong focus on enhanced device connectivity providing for superior interoperability and leading to better outcomes and performance,” Ariel Kriger, VDOO’s VP business development told Threatpost. “This of course comes at the price of extended attack surfaces.”
While there aren’t necessarily physical dangers (at least that we’ve seen) from hijacking a connected umbrella or a smart alarm clock, there are certainly privacy implications when it comes to personal data open for the taking in some of these potentially insecure smart home devices.
When looking at the bigger picture, these kinds of insecure IoT devices have created a simple surface for a DDoS attack, similar to the 2016 Mirai botnet attack, orchestrated through 300,000 vulnerable Internet of Things devices like webcams, routers and video recorders.
Changing Tides
While the Internet of Things has historically been weak when it comes to security, changing tides may shift the focus of the conversation away from how cool new IoT products are – and instead focus on how secure they are.
Awareness is steadily growing about the privacy and security risks of connected devices – and it’s trickling into the consumer end.
In fact, a Blackberry study released Monday found that 80 percent of respondents don’t trust their current internet-connected devices to secure their data. Up to 84 percent of the survey respondents said they are more likely to choose a product due to their reputation for data security and privacy.
“No question, awareness to these risks is growing within the ecosystem, from makers of connected devices, integrators, and all the way to smart device users,” Kriger told us. “Organizations are becoming more savvy around the threat to their business critical processes and makers of these devices are creating strategies on how to best address these security challenges. It seems clear to everyone that not addressing the security threat is no longer an option.”
However, that’s still not the case with a majority of IoT device manufacturers. Armis’ Dibrov said he has found bigger-name vendors like Amazon and Google easier to work with when patching their voice assistant devices – but other device manufacturers weren’t willing to play ball.
“They were either slow to respond or didn’t respond at all when we notified them about vulnerabilities in their products,” he said. “However, these devices aren’t strictly used at home, they are being walked into enterprises by employees and vendors, and put on work networks every day. Because they lack basic security capabilities, I suspect these devices wind up adding to the attack surface.”
Security Measures
There are several steps that manufacturers can take to improve security in IoT devices – starting with even the simplest tasks, like skipping out on common hard-coded default passwords.
But there are an array of other steps to ensure security, such as keeping incoming ports closed (to avoid open telnet ports), ensure automatic updates, and adopt methods before the product goes to market like security audits and pen testing.
“We are finding more vulnerabilities, faster than ever, as companies rush to market without sufficient penetration testing,” Alan Monie with Pen Test Partners told Threatpost. “We have an increasing backlog of vulnerabilities to disclose, and the findings are increasingly systemic as IoT vendors look to third-parties to handle their back-end API service provision.”