In-brief: Experts on the security of the Internet of Things warned that lax security and privacy protections are rampant in connected home products, but consumers have no way of knowing whether the products they buy are easy targets for hackers.
San Francisco, California — Consumers have no way to easily assess the relative security and privacy features of Internet of Things devices – many of which would fare very poorly in a Consumer Reports-style product bake-off.
Security researchers speaking at The RSA Conference in San Francisco this week say that common “smart home” products by major vendors do a poor job of warding off would-be hackers, potentially exposing their owners to online snooping or even physical crime. And consumers are blind to the security problems because there is no easy way to understand or evaluate the protections each offers.
Independent security researcher Billy Rios said that a study he conducted of common connected home products, including IoT hubs and smart thermostats revealed a long list of security lapses: from weak authentication to a lack of support for signed software updates to embedded private keys for encrypting communications to and from the devices.
Rios reviewed a smart thermostat manufactured by the firm Honeywell, as well as smart home gateways by Wink, Veralite and the GE Link. Companies that are making the jump from home appliances to smart products do not yet sport software savvy cultures that understand the need to address software vulnerabilities in a timely manner, provide features for updating devices securely and to protect software from malicious actors, Rios said.
Daniel Miessler, a practice principal at HP’s Fortify division said that a similar study his company did of connected home products also revealed widespread and consistent security problems. Connected home products shipped with easy-to-guess default passwords and allowed users to configure easily guessed alternatives like “123456” and “password.” The products often transmitted data in the clear, using protocols like FTP and did not have simple “brute force” protections to thwart attempts to guess user passwords.
Both Miessler and Rios agreed that consumers had little way of knowing about the problems affecting these devices, meaning that manufacturers are unlikely to pay the price for poor security.
Deployed in private homes or offices, the insecure devices could make it possible for remote attackers to peer inside, using Internet-connected surveillance cameras designed for home security. Or vulnerable devices could provide an easy place for malicious actors to hide on compromised network.
“Establishing persistence on one of these devices is a good avenue of attack,” he said. Most do not sport any monitoring agent to detect malicious activity, nor do they offer logs that might be used to track an attacker.
Miessler and HP are working with OWASP (the Open Web Application Security Project) to promote an IoT Top 10, designed on the model of the group’s well known list of “top 10” web application security holes. The list includes checks for items such as insecure web interfaces, lack of transport encryption and insufficient authentication.
The goal is to help developers of IoT applications understand the main attack surface areas for IoT devices and ecosystem, and to form the basis of what might eventually become a kind of ‘rating system’ for Internet of Things device security.
Rios said that a “Consumer Reports” style rating system that would make it easier for consumers to make simple decisions about the quality of security and privacy protections in a connected home product.
“Consumers don’t want to have to learn about firmware updates. For them, its all about the decision ‘to buy or not to buy,'” he said. Color coded ratings for issues like data security, passwords and privacy would make it easier for consumers to choose products that offer better protections, thereby driving competitors to set a higher bar.
The U.S. Federal Trade Commission (FTC) has taken a keen interest in Internet of Things technologies. In a report issued in January, the FTC urged U.S. businesses to take steps to protect consumers’ privacy and security as Internet-connected devices that are part of the “Internet of Things” gain mainstream adoption.
The Internet of Things is “already impacting the daily lives of millions of Americans,” the FTC said. IoT technology like health and fitness monitors or home security cameras “offer the potential for improved health-monitoring, safer highways, and more efficient home energy use.” But they also raise privacy and security concerns that could undermine consumer confidence, the report concluded.