It seems like everything in our lives is now connected, from TVs to fridges to doorbells to fitness mirrors. Recent research found there are an average of 15 smart devices per household, up 25% from 2020, with “power users” having as many as 34. And these smart products are often a bad actor's prime target due to lax security. It only takes one vulnerability to become an entry point for threat actors to access the entire home network. In 2021 cyberattacks on IoT devices more than doubled from 2020.
With the surging volume of IoT products and cyberattacks, consumers are increasingly vulnerable to security breaches. Over the past few years, there has been a steady stream of security flaws, from hacked baby monitors with strangers spying or talking to kids to 600,000 GPS trackers manufactured in China and shipped globally with various vulnerabilities, including a default password of 123456. Making the situation worse: these devices were helping parents track their children.
Security as a Best-Effort or Worse, an Afterthought
A lot of time and money is invested in the features and functionality of smart products. However, in the rush to capitalize on consumer interest, security is often woefully neglected. The devices are vulnerable due to limited computing resources, lack of security features, and the reliance on internet connectivity. With many, the software is not updated frequently to address emerging threats like malware, or the product is secured with a default password.
These inadequate security practices put consumers in a risky situation as hackers can easily access the home network and carry out various nefarious activities, including spying on the house, spoofing the tracker’s location, intercepting emergency calls, or obtaining personal identification information to commit fraud.
Due to the lax policies, there are a range of common vulnerabilities spanning:
- Passwords: Password reuse coupled with weak or default credentials all make it fairly easy for bad actors to gain unauthorized access.
- Encryption: If data is not encrypted or it’s out of date when it’s transmitted between the IoT device and the network, it makes it easy to access without authorization.
- Patches: If manufacturers don’t regularly update and patch flaws, this leaves the solution at the mercy of hackers to exploit.
- Privacy: Some products collect more data than needed or share data without consent, which can lead to breaches.
- Apps: Many solutions, like smart thermostats, have accompanying apps to control and configure them. These can also have security flaws, such as poor or insecure data storage or authentication mechanisms.
- Firmware checks: Without these, attackers can modify firmware and potentially take control or steal sensitive data. For example, Bluetooth protocol vulnerabilities have been the source of several high-profile breaches involving IoT devices.
- Network protocols: Some communicate using weak or outdated network protocols that make it easy for bad actors to circumvent.
- Physical security: If an attacker gains access to the physical product, this can lead to data loss.
IoT devices must be tested to ensure vulnerabilities are found and fixed before they’re made available to purchase. It's clear that the status quo is not working. With consumers continuing to add smart products, industry regulators and government action is required to help address the seismic problem.
State of Regulation
Some progress has been made, including regulation passed in California to ensure that IoT manufacturers equip their products with some basic security features out of the box. In addition, the National Institute of Standards and Technology (NIST) laid out detailed recommendations for the labeling of consumer devices.
This has led to the White House announcing the Cyber Trust Mark IoT labeling program. To obtain the certificate, each consumer IoT device must pass a standardized set of security vulnerability tests that reflect the NIST recommendations for parameters like encryption and data protection. This is an important step to address cyber risks and build consumer confidence that they can trust intelligent products. In addition, the initiative provides a common framework for manufacturers to standardize and scale IoT security with defined tests to ensure each model meets the required benchmarks. The program is modeled on the Energy Star rating system for efficient household appliances.
With the label backed by a trusted set of security vulnerability tests, consumers can quickly and easily update the security on their IoT devices by scanning a QR code. This addresses a fatal flaw with many, the lack of software updates and patches, and it marks the first national cybersecurity specification to be introduced. In addition, it will provide visibility about the types of data the device collects and how it's used.
The Future is Connected
Connected solutions are reshaping the world and with the proliferation of IoT devices showing no sign of easing, cyber risks will continue to escalate. And as Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technologies, stated, "The U.S. Cyber Trust Mark will give consumers a way to know if the smart devices they're purchasing are secure, and give companies a label to show their products meet cybersecurity standards. …..making our homes, classrooms, and workplaces safer and less vulnerable to cyberattacks."