The average home is now littered with smart devices and IoT (Internet of Things) devices that connect to the internet and have cameras and microphones at the ready. There are smart fridges, smart TVs, smart bulbs, speakers, and even toys and diapers have some sort of wireless connection, whether it’s bluetooth or WiFi.
With so many devices having made their way into the average consumers’ home, we wanted to think about how that affects one’s security and privacy.
We spoke to Adrian, a security professional at Thinkst, about the proliferation of smart devices, the privacy and security implications, and how consumers can better protect themselves.
Can you describe the state of consumer IoT products in terms of security/privacy? Do you think we’re getting better or worse than 5 years ago?
Adrian Sanabria: In general, I’m seeing a positive trend in the most popular and mainstream consumer IoT products. Five years ago, it was common to still see default credentials (such as username and passwords) on devices and products with a lot of attack surface (ways in which a hacker can attack a device). Much of that has gone away.
However, when it comes to some of the more obscure IoT products out there, we still see security that’s just as terrible as ever. This is due to a few factors:
- Consumers don’t know what to look for in terms of security or privacy, so it’s hard for them to demand secure products.
- Consumer products tend to drive the price down as competition increases and markets commoditize. The result is small teams rushing IoT products out the door without proper security and privacy controls.
- Laws still don’t go far enough when it comes to enforcing IoT device security. California’s IoT Security Law (SB-327) is a good start, but we need to continue pushing that legislation deeper and from the state-level to the federal level in the future.
Do you think there will be any significant changes in consumer smart devices in the next few years?
No, I think consumer IoT is still at the stage where the clear market manufacturers are polishing products and releasing second, third and even fourth generations of products, keeping the output at an even pace with consumer demand. More foggy markets, where we haven’t seen a proven market demand, are still throwing ideas against the wall to see what will stick. Expect to see tiny, internet-connected computers shoved into more and more ridiculous everyday products and devices.
Are there any IoT/Smart products that are worse than others or is the security and privacy of IoT devices largely the same? Are devices like Smart Locks less secure than a Smart Bulbs, Smart Fridges and are smart speakers like Amazon Echo particularly egregious?
Certainly, products made by companies that are not traditionally tech companies often get security and privacy very wrong on the first few tries. Amazon and Google are more likely to get security right (and are predictably unscrupulous when it comes to privacy). Companies that traditionally make consumer deadbolts and locks, for example, are more likely to make some basic mistakes when it comes to security and privacy design.
These niche markets are full of companies eager to be the first in their particular submarket to rush into the smart-product space. Cooler heads saying, “slow down, have it looked over by security experts first,” are going to be ignored most of the time. Time-to-market, and ensuring a product is available for purchase as soon as possible, is the main priority. These situations are where regulations can help.
Are there any devices you’d recommend people avoid if they’re concerned w/ privacy/security? There are a lot of new ‘smart’ devices out there (we’re reminded of the smart diapers that were recently released).
It depends on each individual’s desire for privacy and willingness to compromise. If you are personally concerned about stalkers or have had issues with abusive partners or family members, you’ll probably be more weary about any device that places microphones and/or cameras in your car or home.
Another consideration is that attackers have been known to target employees (especially key employees, or high-level employees) at home. If you’re the Controller or Chief Financial Officer for a company, for example, you might want to ask for additional assistance from your company’s security team in securing your personal network and devices against attacks.
What do you think the tradeoff is between having IoT devices in your home vs. not? Smart diapers are easy to avoid but what about something like a Smart TV (which seems to be most TVs)?
The primary benefit of most smart devices is convenience. Convenience has been a key focus for most technology-driven markets for many years – even before the advent of IoT. The challenge is that, in many cases, consumers won’t have the option of ‘non-smart’ devices. Try to find a new car today that doesn’t have built-in microphones and Bluetooth. 4G and Wi-Fi are standard on some models. TVs and Game systems now come with virtual assistants and embedded cameras and microphones.
In some cases, manufacturers include the ability to disable smart features, but not all companies do.
In households where one family member is privacy-conscious, but others are not, these sorts of dilemmas can create disagreements and disruption. Even within the home, privacy can be violated with these devices. I’m personally conscious of this, because I know, with an Amazon Echo in every room of the house, I can use them as an intercom to ‘drop in’ on any room in the house at any time, day or night.
Have you resigned to having certain smart devices in your home and/or have you gone out of your way to avoid buying a smart version or a device?
There’s a school of thought among security professionals that recommends abstinence from any device or service that could be insecure or erode privacy.
Personally, I intentionally take measured risks. I strongly feel that, as a security professional, I need to be among the first early adopters to try out new technology and explore the edges of what’s possible with them. This allows me to understand how new technology can be abused and misused. I can provide better, more nuanced advice as a result.
How can consumers better protect themselves and keep themselves secure when it comes to IoT devices?
That can be really tough for the average consumer – there’s no solid or fool-proof way to tell that an IoT device is secure. However, I’d suggest doing a web search for the name of the vendor and vulnerability disclosure. What you’re looking for is a clear way for security researchers to report privacy and security issues to that vendor about their products.
If a vendor doesn’t make it easy for researchers to report problems, I’d be significantly less comfortable using their products.
For example, I recall seeing a lot of issues with these little laptop-like devices that a toy vendor made for children. It took a few searches to find the name of the company that makes these tablets and laptops for toddlers and I can see that they even had to pay a hefty FTC fine. I still can’t find any easy way to notify them about security issues, so I personally wouldn’t touch their products.
Given a choice, would you recommend consumers hold off on bringing IoT devices into their home if possible or is it better to opt for convenience, buy the IoT products and just ensure the right security measures are in place? Does this answer differ for consumers who are/aren’t so technical?
That’s a tough question. I’d say you should think through some worst-case scenarios. There’s not much that can go wrong with an Internet-connected toothbrush, whereas I think it’s reasonable for someone to conclude that they’re not going to bring anything with an embedded camera into their home, unless it’s easy to cover or disable. The worst part is that, unlike cars, child seats and most major appliances, IoT device manufacturers aren’t required to recall devices with security or privacy issues.
It’s tough to recommend avoiding IoT devices altogether, but it will probably be another 5 or 10 years before regulations catch up to where they need to be.
Adrian is an experienced security professional with over two decades of industry experience. He loves games, gadgets and all things tech-related. He is a compulsive researcher and most recently has been trying to understand why data breaches and cyber intrusions are still so common.
Adrian is an Advocate at Thinkst, the company behind the much loved Canary and Canarytokens. At Thinkst, Adrian helps ensure businesses have the means to detect attacks before they turn into breaches.