This posting is following up on the recent release of our report titled, “The State of IoT Security” which can be found here: stateofiotsecurity.com. The public response to our report has been humbling and exciting; we have definitely hit on an issue about which many of you care. However, we have also received responses that did not surprise me, but have nonetheless made me think about the role of the security community in solving this problem.
As a security expert, I understand the fatigue associated with discussions on the security of IoT devices; frankly, I have felt same way for a while now. However, after observing our customers being hit relentlessly by botnets of IoT devices, our team decided to look into this matter ourselves. This study changed the way I think about IoT Security, and I hope you will take a few more minutes to read why. I will start with my argument and three key points, then follow up with a few more details about our study.
IoT security is not a security issue, it is simultaneously a public safety and a national security issue. The security community must make solving these issues a priority.
Our tests were not sophisticated, esoteric hacking, instead they were simple, boring security tests that anyone even considering security would have performed. We performed these tests through rigorous, exhaustive review of each individual device to collect real, hard data on the lack of security on these devices, the results of which we are excited to share in this report. Our findings are the result of analyzing over 1.25 million communications to more than 3,000 external servers from 12 off-the-shelf IoT devices.
What we found, on one hand, was not surprising. Many of these devices are not secure. Much of the associated infrastructure is not secure. Several of the Android applications are borderline dangerous. Yes, it is scary to think that some stranger could watch your child sleep (easy to do with some of the devices we reviewed). We also found that someone could set off the alarm on your security system repeatedly to drive you crazy just by pasting a URL into their browser. We also proved that we could write a simple, five-line computer script to get visibility into every time a lightbulb or an outlet was turned on or off, which could be accomplished by anyone that has access to any network that your mobile phone has connected to. It is scary to think that someone could intercept traffic from one of your devices and get information such as your birthdate, e-mail address, telephone number, or even your passwords. As a part of our study, we found that all of these things are simple to accomplish on one device or another.
These things are scary, but they are nothing compared to what we, as security experts, worry about on a macro level.
What happens if we take a global perspective on these devices and we consider the impact of not just one or two insecure devices, but billions of them? While it may be an inconvenience if our thermostat stops working on a cold night, what if every thermostat in a large metropolitan city caused a massive power surge and took down the power grid? What if millions of smart lightbulbs and outlets caught fire at the same time? What if a foreign intelligence service could have millions of cameras and security systems capture audio and video on command? Think this could not happen? We found that the extent to which the manufacturers and infrastructure associated with these devices communicate with, or is related to, China is shocking and has significant national security implications.
Now, our report is not all doom and gloom. We ultimately would like to ask a simple question…what if the general public could do something small and change the future?
We are talking about consumers and retailers taking a stand to require that manufacturers and the platforms used by these devices have at least considered security and where the data of U.S. citizens is being stored in the development of their devices and the associated infrastructure.
Surprisingly, by requiring a basic level of security, there is no need to hike costs to consumers. The insecure devices we reviewed were priced similar to the secure ones, but retailers appear unaware or unconcerned about differentiating these devices to consumers, despite the clear marketing advantage, and a critical need to demonstrate that they do indeed care about the privacy and security of their customers.
We are excited to have finally released our report and share our findings with the community. I hope you will take the time to read through it and let us know your thoughts! You can access the report at http://www.thestateofiotsecurity.com and make sure to follow us on Twitter at @darkcubedcyber as we release more content associated with this report in the coming days and weeks.
This post was originally published on the Dark Cubed Blog located here: https://darkcubed.com/blog/
Create your free account to unlock your custom reading experience.