Amazon Echo among devices from Netatmos, D-Link, Nokia, and Sonos found to raise privacy or security concerns. One device so insecure the vendor was contacted privately by researchers.
The Internet of Things is making its way into homes in a big way. Smart security cameras, home management systems, doorbells, weather stations, thermostats, baby monitors, and more, are part of the first wave of IoT adoption that will be critical to establishing trust in these new technologies.
All of these devices need access to the internet in order to share their data with you. But are they also sharing too much with the whole outside world? There is a growing body of evidence that says yes: many popular home IoT devices are insecure, and in some cases too insecure to use. And, as many are also making their way into the workplace, this could have serious ramifications for business.
Security company ESET has carried out research on a cross section of popular IoT products. Its report, IoT And Privacy By Design In The Smart Home, reveals just how vulnerable some of them can be.
Popular products
The research was based on a number of popular devices, including:
Amazon Echo
D-Link home hub
D-Link motion sensor
D-Link cameras
Nokia Body Cardio Scale
Nokia Health Body Cardio Scale
NETAMTO Weather Station
Sonos PLAY:1 speaker
Woerlein –Soundmaster Internet Radio
TP-Link Smart Plug HS110
In total, the team tested twelve products from seven vendors. One device – described as a “home automation control panel” – was not named in the report because its flaws were found to be so numerous and severe that the company was notified of the failings privately instead.
That device’s vulnerabilities included: The login process was not authenticated. The default option was to allow auto-login, which bypasses the need for userID and password. Its communications with the cloud were not encrypted. The vendor’s cloud service had the ability to establish a virtual private network (VPN). Once established, the remote network configuration could be changed, resulting in unauthorised access. Accessing the cloud service required registration, but if the user details had been compromised, VPN access could have presented a serious risk.
The privacy challenge
The data collected by each smart device should be set out in the vendor’s privacy policy, says the report. “Often companies use the term ‘but not limited to’, meaning that if they want, they can collect more than what is described on the list,” it adds.
“Issues such as the fear of oversharing of data by commercial services, insufficient protection of stored personal data, and the possibility of interception of digital traffic by cybercriminals [are] significant.”
Each device in the test collected different types of data to enable it to work. In most cases the data seemed to be in line with the service being provided, says the report. However, the Soundmaster Internet Radio appeared to have no privacy policy at all and so raised a red flag for ESET’s researchers. “If there is no stated policy, then no informed decision can be made,” says the company.
Voice-activated problems
Each of the tested devices had either security or privacy vulnerabilities, says the report, but it was the role of voice-activated intelligent assistants that raised the most privacy concerns – specifically Amazon’s Alexa-enabled home devices.
“A service that acts as a conduit to all other devices and then stores the interactions with them, potentially creates a single treasure chest for a cybercriminal. Neither the reputation of the device nor Amazon’s services are in question, but a smart hacker trying to harvest personal data for identity theft could create a spearphishing attack on individuals to gain access to their Amazon accounts.”
Read more: Kerching! Amazon pays $1bn for doorbell. Bright idea?
ESET makes a number of recommendations to Alexa users. These are:
• Set up voice recognition so only you can use Alexa.
• Delete the recordings of past interactions.
• Consider not connecting other devices when the data is deemed to be too personal.
• Switch off Alexa when you don’t need it.
• Protect your Amazon account with two-factor-authentication. This prevents access should your login details inadvertently fall into the wrong hands.
So it the smart home safe? Only possibly, says ESET, but there’s no guarantee. Some of the devices tested had vulnerabilities that were dealt with quickly with new software and firmware, adds the report. With that in mind, the researchers say that with sound judgement and caution, it is possible to start up a basic smart home.
Guidelines for a safe smart home
ESET offers the following advice to anyone contemplating a smart home network:-
• Research vulnerabilities before buying. Search terms should include: Device security vulnerability; brand security vulnerability; device privacy breach; device data leak.
• Does the manufacturer update the firmware, and can it be auto-updated, or at a minimum, are you notified through an app or email? Check the vendor website, or search online to find this information.
• Read the privacy policy. Understanding what data is collected, stored, or shared will help you make the decision on whether the device should be part of your network or kept isolated. Don’t purchase if you are in doubt.
• Use caution when sharing data on social networks or with a vendor’s own systems. Sharing your location, device, and pattern of usage may give cybercriminals enough data to scam you or start a targeted attack.
• Voice-controlled intelligent personal assistants are convenient, but they are also all-knowing. Think carefully how much you tell your assistant, or how much you ask it to gather on your behalf.
Additional reporting: Chris Middleton
Manufacturers “neglecting security”
Russian cybersecurity firm Kaspersky Lab has added its voice to the chorus of disapproval about security levels in connected home devices. It found a plethora of flaws in an unnamed smart hub that’s used to manage other devices and sensors in the home.
Researchers noticed that the hub stores login credentials, phone numbers, and other personal information on an insecure server.
Kaspersky said that if the “serial number is registered in a cloud system, criminals will receive affirmative information”. They can then “log in to the user’s Web account and manage the settings of sensors and controllers connected to the hub”.
Christopher Littlejohns, EMEA manager of IT security firm Synopsys, blamed manufacturers for neglecting these security concerns. “Vulnerabilities in smart hubs are entirely predictable symptoms of an immature organisation without a clear focus on security,” he said.
“All of these issues demonstrate a lack of threat awareness or analysis; they are fundamental design issues that creates readily exploitable vulnerabilities.
“This is a recurring theme for small and larger companies for whom speed to market is the primary goal. Companies that do not ‘build security in’ as part of their development processes will suffer the consequences of brand-damaging reports like this, or worse – they will likely go out of business.”
Nicolas Fearn
Internet of Business says
Some smart device manufacturers in the wider market have no track record in enterprise grade security, and so it should come as little surprise that products might be rushed to market with either security flaws or privacy vulnerabilities. So it is a case of buyer beware in the early days of the connected home.
While it might seem unlikely that a hacker would attack an individual home, the threat is more to do with automating attacks against specific device types, or using the computing power within smart devices to create botnets or mine for cryptocurrency, as was revealed recently at the Mobile World Congress.
These issues affect everyone in the IoT business for a simple reason: as with many popular technologies that businesses now rely on every day – social networks, mobility, and collaborative platforms – trust begins in the home.
Read more: IoT ramps up cyber security risk, says in-depth report
Read more: Top priest proposes Ten Commandments of A.I.