Nine Questions to Ask to Determine IoT Device Safety
The holidays are almost upon us. All around the globe, people are purchasing the latest and greatest gadgets as gifts. Consumers will be linking their new of Internet of Things (IoT) thermostats, doorbells, baby monitors, security cameras, home appliances and even GPS pet trackers to the internet in droves.
On the heels of the holiday season, the International Consumer Electronics Show will take place in Las Vegas, Nevada, where device manufacturers reveal a whole new crop of IoT devices set to hit the market in 2017. Amazon.com now has a team of “Smart Home” consultants who come to your house to help you wade through automation, Wi-Fi, ZigBee, Alexa and a sea of other “things” for your homes.
That’s a lot of IoT devices connecting to the internet! A couple of years ago, I asked a group of people how many “things” did people have that were connected to the internet. At the time, the largest number was 29 from any home user. Today, that number is not uncommon. In fact, Gartner says 6.4 billion connected “things” will be in use in 2016, up 30 percent from 2015. By 2020, it is estimated that the number of connected devices is expected to grow exponentially to 50 billion.
While IoT brings forth many benefits to consumers—from convenience to energy efficiency, to monitoring babies and locating lost pets—it also brings risk. The Mirai botnet enslaved 152,000 IoT devices including: Smart TVs, refrigerators, and other smart household appliances. These IoT devices were used them to take out the Dyn DNS Server this September.
As a consumer, you might think… “why should I care if my device is involved in a DDoS attack? As long as it works, I don’t mind.” Well, some 20,000 residents in Finland found out the hard way why it matters, when their building’s IoT connected thermostats stopped functioning because the devices were enslaved to a botnet conducting a DDoS attack (By the way, it’s cold in Finland in November).
Whether you are a consumer considering a connected device as a gift for the holidays, or a reporter about to review the next wave of IoT devices launching at CES, we have put together a list of questions you should ask before diving in:
- What are you (the manufacturer) doing to protect devices from botnet enslavement?
- If the device does become enslaved, will it still perform its primary function?
- If it breaks during a DDoS attack, will you (manufacturer) honor the warrantee?
- What is your security vulnerability disclosure/handling process?
- What personal information is stored on the device? Which user accounts (e.g. email, cloud service, etc.)?
- How do you protect that data?
- Which services are enabled by default?
- Does it need to be directly exposed to the internet (e.g. using UPnP to create a port-forwarding rule in the internet gateway)
- What is the procedure to upgrade the device firmware?
- How do users receive notifications of updates?
- Do you offer support for OTA (Over the Air) updates?
- Do you provide a web page/contact for security researchers to submit security reports? For example: https://nest.com/security/
Many manufacturers are not ready to answer these questions. Not only do many manufacturers not include security features in their product development, it’s not even in their scope of thought. What’s worse, we’ve seen some manufacturers who have command and control enabled by default for eavesdropping!
For the consumers of these devices, you may find that you’re faced with the Wild West of security concerns. Without having a home firewall or Unified Threat Manager (UTM), how will you know that the devices you’ve bought aren’t spying on you or leaking your personal details? How many consumers even know what a UTM is, or where to purchase and install one?
Companies face the same challenges. Larger companies segment the devices from their production networks. The areas where rapid adoption is happening is where the greatest vulnerabilities lay. We believe that industry standards must to come to the table in 2017. Secure communication protocols and standards will become public standards and IoT manufacturers will have certifications to these standards. We predict a major IoT breach is going to happen and perhaps that will be the catalyst toward securing the Internet of Things.