SAN FRANCISCO – With the massive influx of connected devices into our digital lives, it’s no surprise that IoT security was on the forefront of the 2018 RSA Conference this year. But despite numerous talks about IoT vulnerabilities this week, a clear resolution seems nowhere in sight.
“A lot of the manufacturing behind IoT devices today feels like the Gold Rush… everyone wants to get there in a hurry,” said John Cook, senior director of product management at Symantec, speaking at RSAC. “You effectively have people staking out a claim in the area without further thought to security.”
IoT smart home devices make up a particularly lucrative market, with consumer IoT spending set to reach $62 billion in 2018, making it the fourth largest industry segment, according to market research firm IDC. However many of these devices are built with little to no security in mind.
The 2016 Mirai botnet attack, which was orchestrated as a distributed denial of service attack through 300,000 vulnerable Internet of Things devices like webcams, routers and video recorders, showed just how big of an impact the lack of IoT security has.
Since then, however, little seems to have changed in terms of security for connected smart home devices. Tony Anscombe, global security evangelist with ESET, proved this by spending months testing 12 IoT devices such as smart scales to wearables, and found an array of security issues – from passwords stored in plain text to encryption issues.
“We saw unencrypted firmware updates, unencrypted video streaming for cameras, communication and server in plain text and passwords stored unprotected. We saw privacy policy concerns,” he said during RSAC.
For instance, a Nokia Health Body+ Scale, Nokia’s IoT scale that connects to a smartphone to track progress and collect data like body fat and BMI, was susceptible to a man-in-the-middle (MITM) attack between the Android app and the cloud, allowing hackers to intercept firmware updates and access that data.
While IoT security has been criticized over the past few years, IoT device privacy is another rising pain point highlighted at RSAC, particularly with the rise of voice assistant devices such as Amazon Echo and Google Home.
“One issue we found with these [IoT] devices is that it might not be a vulnerability – it might be that we’re oversharing data,” said Anscombe.
In the case of the IoT scales, these scales could be connected with Amazon Alexa so that data stores various interactions between the scale and the user – a “cybercriminal’s dream,” said Anscombe.
Despite the various security issues with IoT devices, significant steps still need to be taken from both IoT device manufacturers and the end users themselves to ensure device security.
IoT device manufacturers, for their part, see security as a costly alternative to other factors that small, low power connected devices need. For instance, said Marc Bown, senior director of security at Fitbit, many connected device manufacturers would prefer to use low power, cheaper chips as opposed to ones that come with higher levels of security.
“Manufacturers are trading off encryption for low power chips, lower prices, storage space, and battery life,” Bown said.
Another issue is that there are so many components around IoT devices – including processors, cloud and web services, devices and apps, that manufacturers struggle to juggle these various aspects when it comes to security, said Bown.
“Each part of the system is important,” he stressed, as vulnerabilities can lie in apps and platforms, devices, sensors and the cloud.
The first step that many device manufacturers can take to upgrade security in their IoT devices is understanding how the device will be used, and using that understanding while creating threat modeling, he said.
“Doing some threat modeling is really important,” Bown said. “Manufacturers need to think of all the situations where devices can protect themselves in, and fully understand the context.”
The push for manufacturers to prioritize security will ultimately need to come from end users – but the outcry for better security hasn’t necessarily occurred yet from consumers, said Symantec’s Cook.
“It’s not yet a priority… There hasn’t been a single event where you feel the personal pain, like if you have identity theft,” he said. “Manufacturers need to secure their updates, and don’t give users a choice.”
At this point, users can protect themselves by becoming aware of just how much private data they transmit through their connected devices – particularly smart assistants, said Anscombe.
“Only use a virtual personal assistant when it’s not personal. Be cautious if you have an assistant like Google Home. Don’t share your personal data on social media or networks,” he said.