Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Ho, Ho, Hoooold on a Minute: A New Year Resolution That IoT Isn’t a Gift That Keeps on Taking

Some IoT products may make your life easier, but they also may be somewhat of a Trojan Horse. 

IoT Risks

Internet of Things (IoT) devices are a gift that give us tremendous power over our lives. They are an array of gadgets and systems created by companies large and small, with divergent ideas and standards of security and privacy. They entertain us, sustain us, and surround us – whether a smartwatch on a wrist, or a device in a heart. Since the holiday season is a time when IoT devices become “top of mind,” it seems a good time as any to take stock of the all the devices – from those that may be presents, to those that have an influential “presence” on our digital and physical lives. Let’s take a look at some common IoT device red flags, and the prudent evaluation criteria that everyone should undertake so as not to fall victim to gadget gotchas.

Quality over Quantity Quandary

They say imitation is the highest form of flattery. Unfortunately, when it comes to “gadgets” imitation often is the lowest form of quality.  From security cameras, to smart assistants and even smartwatches, brand name success breeds low cost commodity.  In the race to capture the impulse buying public, off brand devices claim equivalent functionality and benefits, but rarely can they claim safety and support. Convenience and accessibility prevent many from pondering, who is this company really, was security a design priority and where does all the data go? 

So this brings us to the first red flag to examine. What are we actually getting when we fork over our cash? Apart from potentially cheap materials, who built the product?  Researching the company can tell you a lot. How long have they been around? Is the company well established and viable? Is there adequate support for issues, including compromise? Santa’s Elves aren’t subject to deep regulatory scrutiny. You know who else often is not, overseas companies. They can flood online sellers, and even if you’re not the target of a nation state, you can be a random target left out in the open.

Which brings flag number two. We know which countries are commonly called out for suspect technology, but even if you recognize the company name, do they suffer from issues in the “usual suspects” category? Do the products come with a default password, and more importantly, can it be easily changed?  Is the software on the device updated frequently, maybe even automatically?  If so, how frequently are you notified of updates and how easy is the process?  Even deeper, how much control and visibility do you have into what the update comprises?  Finally, are communications to/from the device encrypted? Is it end-to-end?  How strong? This is the table stakes of product security, and if the red flags are flying, the next policy you examine should be the return policy.

Speaking of policies and encryption, the final question to ask in this category is, “What is the real product, and who owns who?” Even if the company is legit and the security is strong, all may not be convenience and capability. Some IoT products may make your life easier, but they also may be somewhat of a Trojan Horse. Hidden inside is something far more valuable and risky – Your personal data. Location, financial details, preferences, even voice recordings and search histories are some of the information captured that can be used against you, OR for the benefit of the product vendor. While the other red flags are discoverable in Web searches and settings, this flag is buried deep in a record so long and laden with legal language, that most fear to tread – the privacy policy. We click accept without question, and acknowledge updates without an eyebrow raised, but what lurks in the ocean of vague text.  The critical questions are, what data is recorded and where is it stored?  How long is your data stored and how is it used? What does the privacy policy allow in terms of data sharing or even selling to partners?  Without scrutiny, businesses can profit and use your data to enrich themselves and create risk as your information flows into databases for everything from healthcare and insurance, to even lawyers themselves. Of course, that’s even before what seems to be the inevitability that someone in that chain is breached, and then your information enters the criminal supply chain.  So, this first category falls under buyer beware. Category two is more of what the buyer may “wear.”

I, Robot?

Products of convenience and electronic connection are certainly the most recognized category of personal IoT, but in an increasingly connected world, we need to recognize the devices that quite literally physically connect us to the internet.  This includes devices focused on digital health and patient care, from pacemakers to health tracking/monitors. 

Advertisement. Scroll to continue reading.

We can start this discussion where we left our last.  Is the “heart” of the product design in the right place?  Is it solely there to help you and your physician, or is there a third party interested in the beats of your life.  Is device data, even if anonymized, shared with vendors for the purposes of research and trend analysis?  Some device vendors partner with hospitals and healthcare organizations collaborate around your health data. The intent for the vast majority is to improve your care, the care of others, and even better prepare us for new and emerging health concerns.  But in this category, you really need to understand the potential gap between intention and execution – from how the data is handled, processed and consumed, to how it’s secured throughout. Additionally, one important failsafe question – can you opt out?

The second flag, to steal an infamous line from the movie Marathon Man, is “Is it Safe?”  For a product whose potential failure falls in the category of existential risk, is the product a “pace” setter?  We’ve seen multiple cases where medical devices have been subject to recall, and even multiple, expanded recalls, to address security vulnerabilities.  So, your questions should be what authoritative or regulatory certifications does the device hold? Are devices the subject of current or past actions, and what is the process for device oversight, maintenance and updates?

Finally, this is less of a flag and more of a potential “smart” move.  Are we too connected or too smart for our own good, and can device ignorance be security bliss? When looking at options, are non-smart options a viable second choice? Could they even be more reliable/predictable if not just more private and secure?

Related: Coming Soon to a Network Near You: More Shadow IoT

Written By

Tom Eston is the VP of Consulting and Cosmos at Bishop Fox. Tom's work over his 15 years in cybersecurity has focused on application, network, and red team penetration testing as well as security and privacy advocacy. He has led multiple projects in the cybersecurity community, improved industry standard testing methodologies and is an experienced manager and leader. He is also the founder and co-host of the podcast The Shared Security Show; and a frequent speaker at user groups and international cybersecurity conferences.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

IoT Security

An innocent-looking portable speaker can hide a hacking device that launches CAN injection attacks, which have been used to steal cars.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

IoT Security

Hikvision patches CVE-2023-28808, a critical authentication bypass vulnerability that exposes video data stored on its Hybrid SAN and cluster storage products.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

IoT Security

Researchers at offensive hacking shop Synacktiv demonstrated successful exploit chains and were able to “fully compromise” Tesla’s newest electric car and take top billing...

ICS/OT

As smart cities evolve with more and more integrated connected services, cybersecurity concerns will increase dramatically.