In our previous post, we went over the basics of what a smart sensor is, its parts and the different categories they can fall into. It’s a technology that continues to grow and with the explosion of IoT, these sensors are being immersed in our lives more each year. However, as we adopt this connectivity, hackers throughout the world are drooling at the realization of increased opportunities to attack.
Security is by far the biggest challenge to connected devices. Avast, an advanced cyber security software company, published a report in 2019 stating that two out of five digital households worldwide have five or more devices connected to the internet. Many of these devices leave its owners vulnerable to attacks because they are a gateway to our network that many of us never think need our attention, like printers or media boxes such as a Chromecast.
The ways hackers can infiltrate our cyber networks are endless, and every type of connected device requires its own unique measures of security. Smart vehicles, home security systems, healthcare and wearable devices, payment solutions and more could all be at risk if not given the proper attention. Let’s take a look at a few ways products could be vulnerable and who is ultimately responsible for their protection.
Do you remember in our last post, we discussed the main components of a smart sensor? The sensor itself, the microprocessor with an integrated means of communication and a power source. That microprocessor often comes from a factory who uses a standard, often weak password for all chips manufactured. Because 15% of IoT device owners never change this default setting, security researchers at Positive Technologies indicated that in 2017, just five passwords would grant access to 10% of these items. To put it into better perspective, that accounts for millions of devices and it’s a big deal.
The obvious solution is to make sure consumers are modifying passwords as soon as a device is set up, but that’s easier said than done. States like California are using legislation to combat this type of security threat from the source rather than relying on buyers. In January 2020, a law will go into effect requiring manufacturers to provide unique passwords for each individual device or prompt users to change the default password prior to use. It’s a good start for a problem that will require a multi-faceted solution.
While responsibility for password security has typically fallen to the consumer, other vulnerabilities rely on the responsiveness and accountability of the companies themselves. One example of what not to do, as reported by Cisco Talos, involved the Trane ComfortLink II thermostats. Talos discovered three vulnerabilities way back in 2014 that could allow hackers to gain control of the thermostat as well as the local network. The company was notified and attempts were made to work with them to develop and release appropriate patches, yet it took a full year for Trane to address two of the three issues, and another nine months to patch the third. During this time, homeowners were naive to the fact that their network could be easily accessed and exploited. Lack of a sense of urgency and attention put their customers at major risk, and this apathetic demeanor resulted in a loss of trust in the company.
SOMETIMES, SMART IS DUMB.
Let’s talk about one more. The smart fridge. Don’t ask us why you need one, but they’re on the market and people are buying them. You may have heard about Samsung’s security nightmare when their RF28HMELBSR (wow) refrigerator was reported to have a massive flaw, allowing hackers to access its owners’ Gmail credentials. While Google’s servers utilize SSL encryption to allow connections to and from, Samsung’s SSL fails to check the validity of the certificates. This is just one example of Samsung’s ongoing security issues in their line of products. Their most recent smart fridge, however, now prompts owners right on the door’s screen of firmware updates, though this still requires action on the consumer’s part, which we’ve always mentioned doesn’t always happen (re: the gas light example in our last post).
The point we’re trying to make is that while the prevalence of IoT and smart products will only continue to increase, security must remain a top priority at every level. Manufacturers must remain educated on the latest security trends, companies need to invest in the appropriate resources in place to proactively identify, fix and communicate vulnerabilities to its customers, and we all must be cognizant enough to routinely update our smart products. It’s a multi-step approach and the responsibility lies with everyone.