March 15, 2019 is internationally recognized as World Consumer Rights Day. The theme for 2019 is “Trusted Smart Products”.

“The emergence of smart technology brings many opportunities for consumers; access to new services, more responsive products, greater convenience and choice. There are, however, some significant causes for concern: lack of security, privacy and meaningful choice over how we use them, as well as a lack of clarity about who is responsible when things go wrong.” (official World Consumer Day mission statement)

Over the past years, connected devices such as home routers, IP cameras, smart TVs, digital video recorders, and other smart devices have become an increasingly popular target for cyber criminals. According to Fortinet’s quarterly threat report, in the last quarter of 2018, 50% of the most prevalent exploits targeted IoT devices. We have seen those devices being joined to enormous bot nets by Mirai or VPNFail and being abused by cyber criminals for large-scale denial of service attacks (DDoS) or crypto mining. Trusted smart devices like baby monitors and home surveillance cameras are being turned into espionage devices against their owners.

Multiple factors contribute to making IoT devices an attractive target for cyber criminals. The typical IoT device is…

  • Always on
    IoT devices are always powered on and online, ready to receive voice commands, transmit temperature or humidity data, grant access to restricted premises, or capture the latest soccer match between Barcelona and Madrid.
  • Ready for big-data
    IoT devices with no keyboard and no screen are often not perceived as a (rather powerful) computer, however most smart devices are powered by a Linux operating system, vast amounts of computing power, storage, and bandwidth, necessary for processing thousands of photos and videos or even streaming in 4K resolution and rendering 3D graphics on the fly.
  • Unmanaged and outdated
    The IoT ecosystem is heterogeneous, with protocols and management interfaces varying significantly between vendors and even among different product generations of the same vendor. IoT devices are rarely updated, and as a result prone to known vulnerabilities and exploits.
  • Not security-tested
    It is common practice for traditional IT systems and applications, to be tested for security issues. However, within the IoT sector, this practice is not widespread yet. If we look at the costs of the devices themselves, it becomes hard to justify the budgeting of security assessments. Add to that the lack of experience of cybersecurity experts in this domain, and you can understand where the problem lays. However, one solution to help overcome this issue and increase transparency is to call the IoT Inspector. Vendors should be obliged to not only provide a secure product but also regular firmware updates to keep devices secure in the long run. 

Plug, play & throw away

With virtually no IT background required, adding a smart device to your home network has nowadays become easier than to install a laundry machine or assemble IKEA furniture. However, bear in mind that the increase in usability oftentimes comes at the cost of security. Long-established security standards in desktop or mobile environments are put aside for the sake of simplicity.

The pace in the IoT industry is extremely fast. Time to market is the top priority. New product generations with new features are released every few months, while support for existing products is dropped arbitrarily, resulting in more and more “End-of-Life” or “End-of-Support” devices. Yet those devices have a lifespan of many years, neglected by the vendor and increasingly exposed to security threats.

IoT devices in a throwaway society.

IoT devices have turned into commodity products in a throwaway society. With products presenting close to identical features, many vendors rely on price to attract clients. Needless to say, competition is fierce. Pressure to keep costs down leads to outsourcing the majority of the components, and rare are the final devices that are now produced in-house. Instead, relying on a complex supply-chain ecosystem, comprising of retailers, wholesale importers, so called white label manufacturers, original equipment manufacturers (OEMs) and original design manufacturers (ODMs) has become the norm. Hardware and software components are bought, copied, and assembled before being put into a new, shiny box and shipped to the client.

Budget and time constraints are never the best breeding ground for quality. While arising issues with functional requirements tend to result in complaints by unsatisfied clients, non-functional quality issues, such as security vulnerabilities, often go by unnoticed until it is too late. As a result, it is easier to understand why vendors choose to cut budget there. Underrepresented security appreciation and know-how contribute to this tendency.

But we live in a time of change. Security and privacy are fast becoming stronger requirements for consumers and organizations, encouraging regulatory bodies to focus more on the issue. The FTC has forced ASUS to establish and maintain a comprehensive security program to combat critical security flaws in its home routers and cloud services, California is banning connected devices with default credentials from 2020, and the German BSI is requiring vendors to follow “secure by design” principles and make support cycles of their products transparent. Vendors, such as Huawei, which are suspected of supporting state-sponsored espionage by hiding backdoors in their products are banned by many organizations and governments such as New Zealand or the USA.

What Can You Do?

It would be easy now to lean back, point fingers and blame the vendor for not shipping “secure by design” devices, the retailers for importing cheap devices with debatable security standards, the regulator for allowing all of this to happen and not putting a stop to it, or consumers for buying such devices and connecting them to their network without giving a second thought on how doing so leaves the door open to cyber attacks.

One of the big challenges still today is to ensure that vendors enforce their security promises and claims in order to comply with newly established regulatory requirements. Given the high costs and specific expertise required to conduct thorough security assessments of thousands of new IoT devices flooding the market every month, the only option is to automate a technical security assessment of the device’s brain, its firmware.

IoT Inspector’s mission is just that – to provide a cost-effective and efficient way to challenge any vendors’ security promises and to support organizations and individuals in forcing vendors to implement the security requirements and respect their consumer rights to security.

SEC Consult technology has helped uncover hundreds of critical security vulnerabilities in different products across various vendors and our team will relentless work to put to light many more.

Iot Inspector Screenshot Min

Celebrating World Consumer Rights Day 2019, we are offering free IoT Inspector scans to individuals and organizations aiming to improve the security and resilience of the Internet of Things. Get active, tell us what nasty vendor secrets you were able to uncover by using IoT Inspector

Sign up for your IoT Inspector Demo