Beyond the CES Hype: No Easy Fixes for Security and Privacy Woes

Security and privacy risks from connected devices are likely to persist, with no easy fix for what experts agree are widespread problems. (Image courtesy of CES.)

In-brief:Security and privacy risks from connected devices are likely to persist, with no easy fix for what experts agree are widespread problems.

The annual Consumer Electronics Show kicked off this week in Las Vegas – the show’s 50th year and bigger than ever. Some 3,800 companies are on hand, more than 100,000 attendees and 2.6 million square feet of exhibit space.

Smart devices designed to be connected to the Internet of Things are all the rage again this year. Smart TVs and mobile phones are in abundance, of course, but there’s a dizzying array of other gear, too, ranging from a smart washer and dryer from Samsung to wearable technology to a concept car by Bosch that features face recognition and gesture control.

But behind the glitz and excitement of new products, features and capabilities lurk serious security and privacy concerns that experts agree will not be easy to resolve. Among them: that new, connected devices fail to protect the privacy of consumer data and often ship with weak security features that are easy to circumvent, or software vulnerabilities that can be exploited by hackers living across the globe.

That dissonance between reward and risk was on vivid display this week, with the FTC filing suit against home router and camera giant D-Link on the same day as the company unveiled a host of newer, more powerful routers and cameras on the show floor in ‘Vegas. D-Link has denied the FTC’s allegations, saying they are “vague and unsubstantiated.” The company has vowed to fight the case.

But the Commission’s case against D-Link sounds familiar tones to those who have been charting the evolution of security problems related to connected devices. D-Link routers and cameras, the Commission found, contained “hard-coded” accounts that ship with the product and can be accessed with easy to guess credentials like the username “guest” and the password.” The software running on the devices is reportedly vulnerable to command injection attacks that could allow a remote hacker to use a malicious command to take control of a vulnerable D-Link router or camera. Software (or “firmware”) that runs on the devices was vulnerable to being replaced with doctored alternatives that would do the attacker’s bidding.

Similar problems were found in devices by the connected camera vendor TRENDNet, a maker of surveillance cameras in 2013, that the Commission settled in 2014. The Commission has advised consumers and businesses about the security and privacy risks of IP-enabled cameras, urging both to use good security hygiene: keeping firmware up to date, making sure communications are encrypted using secure HTTP and securing devices with strong passwords.

The rush to introduce new, connected products is running ahead of awareness of the security and privacy implications of connecting devices to the Internet, said Craig Spiezle Executive Director of the Online Trust Alliance (OTA). “This is the challenge. We’re enjoying the benefit of new products brought to market. But how many of these companies have a security mindset? How many analyze the firmware and open source code they leverage and manage against it?”

The Online Trust Alliance used CES to release a new version of its Trust Framework. Among other things, they call for device makers to adhere to “rigorous software development security process” including security for the data that the devices store and transmit to back-end servers. Companies should conduct penetration tests and adhere to vulnerability reporting standards and ship new devices with unique passwords and include features to prevent password guessing (or “brute force”) attacks. Spiezle, a veteran of Microsoft’s security program, said the challenges facing smart product makers are “nothing new.”

But the addition of Internet connectivity to a wide range of historically ‘disconnected’ products is new, and a jarring transition for many firms unused to the rhythms and demands of the software industry, said Amjed Saffarini, the CEO of CyberVista, a training firm that does cyber literacy and workforce development for firms in industries like energy, manufacturing and finance. 

The addition of Internet connectivity makes even low-risk devices like dishwashers or refrigerators introduces new risks and threats to privacy and even physical safety that manufacturers are not accustomed to.

“You have companies that may not have a lot of experience with product safety recalls. But with cyber everything is a safety issue,” he said.

Companies making connected products need to think and plan for how to support those products over their entire lifespan, said Spiezle and others. In the case of durable goods such as washing machines or automobiles, that life span may be measured in decades – a tall order for any software-based product.

Spiezle said that there’s little talk of those nagging issues amid the frenzy of new product announcements and market enthusiasm. But hot markets eventually cool, he said, at which point differences in how well vendors support and secure their devices may help determine which products and vendors survive.

Companies that offer robust services and security will have a leg up in a tighter, more competitive market for connected products, he said.

In the meantime, regulators like the FTC can help to nudge the market in the right direction, said Stephen Ridley, the founder and Chief Technology Officer of the security firm Senrio. “Up until now, there has been no driver – no reason to have security, so the stuff you had been more altruistic in nature,” he said. “Now that the FTC has taken actions, it gives vendors reason to pause. Do we spend this amount now on security, or that amount squared later on litigation and defending against class action suits?”

One Comment

  1. Pingback: 10Fold- Security Never Sleeps- 131 - 10Fold Communications

Leave a Comment

Your email address will not be published.