Today, we are surrounded by devices that can record the surrounding sound without our consent, take pictures without our knowledge and transmit data without our permission. In other words, we are surrounded by digital eyes and ears. Commonly, we categorize these devices as the Internet of Things, or IoT for short. Examples such as Amazon Alexas, Nest smart cameras and smart thermostats are taking over our personal space one piece at a time.
Recently, researchers found that devices such as Amazon Alexa possess the capability of recording their surrounding sounds without the knowledge of the owner. While this could increase the device’s capability and functionality, it poses a number of issues. First and foremost, privacy is threatened. Imagine having an Alexa in the corner of your kitchen, and it has the capability to record, store and process conversations you have there. Secondly, the same capability could create security issues, such as enabling or disabling other IoT devices in the household simply by recording and replaying a set of commands originated by the owner (e.g., Alexa can enable or disable a security system).
In addition, there are privacy issues associated with devices such as robotic vacuum cleaners. These issues are based off the robot’s capability of recording and transmitting household dimensions, virtually allowing an adversary to spy on the owner if the robot gets compromised. The cleaner features a default username and password combination, resulting in poor autehtication that attackers could easily exploit.There are seemingly endless examples of invading privacy and causing security issues via consumer IoT devices.
At DigiCert Labs, we’re busy experimenting with different methods on how to appropriately categorize IoT devices based on their level of privacy invasion and known security vulnerabilities. Specifically, we’re focused on utilizing technologies such as AI and Pattern Recognition to analyze the behavior of different IoT devices in different environments.
What appears to hold true thus far is the underestimated capabilities of IoT devices when it comes to recording and transmitting data without the consent of the owner. Additionally, the lack of proper security procedures, such as authentication, causes a broader area of vulnerabilities. The resulting conclusion is that we may be surrounding ourselves at home with devices that threaten harm and may lead us to question whether the usefulness of these devices is worth compromising our personal privacy and security.
As the recent 2018 State of IoT survey by DigiCert suggests, IoT security is top of mind for most organizations, but many have yet to fully grasp what they need to do or make the necessary investments. The result is a clear divide between companies faring better with IoT security and those not doing well, leading to significant costs for those struggling with IoT security.
While some are concerned with the cost of good security practices (e.g., 65 percent of the surveyed companies indicated that encryption is too expensive), the reality is that the cost of ignoring IoT security may be much higher. Those struggling the most report impacts of at least $34 million over two years. Frankly, ignoring good security practices for IoT devices is too costly to ignore.
Pressure is bound to continue to mount as the number of IoT-based attacks leads to widespread shutdowns of critical infrastructure. As these attacks begin to affect nation-state economies or harm public or personal health, companies will be forced to act. Already, the State of California, the U.S. Food & Drug Administration, the European Commission and the Japanese government are reviewing stronger regulation of IoT devices.
While it is a complex task to protect consumers against the privacy and security issues caused by IoT devices, we have technology available today to protect the same set of IoT devices against unauthorized access or improper authentication. One example is to utilize proper methods of authentication, such as PKI and digital certificates, instead of traditional usernames and passwords. We can also use code signing to assure secure over the air updates of firmware, secure device booting and that devices only run signed code to prevent malicious tampering.
In the ensuing months, DigiCert Labs will publish the results of our experiments around IoT privacy and security. Our goal of such publications is to educate the public in regard to general IoT privacy and security as we innovate new solutions against identified vulnerabilities.