In 2015 50 million IoT devices were sold during the holiday season. It’s safe to assume that this number will grow dramatically this year as the number of IoT devices and their market share – more than 5.5 million IoT devices are sold and connected daily – have continued to grow exponentially. As a result, it is highly likely that you, your friends, family, maybe your dog and cat, and even your kids can all expect a connected device to be waiting for them under their tree or in their stocking.
This can be exciting. Who doesn’t want an internet connected watch, television or microwave? But it’s important to remember and easy to forget that IoT devices can be a window into your personal life and personal data for hackers. In the past year hackers in a single attack infected millions of IoT devices and used hundreds of thousands of IoT devices to create a successful denial of service attack on Dyn, one of the major internet service providers. That was only a single attack and represents a small minority of the devices hacked in the past year.
This becomes particularly relevant around Christmas when friends and family are buying IoT devices for you and more importantly your children – IoT devices can and have provided hackers with information that could compromised the safety and security of those most important to you. This doesn’t mean that consumers shouldn’t buy, or happily accept gifts of, IoT devices, but it does mean that both the gift purchaser and giftee need to take precautions to ensure that that their new device is secure.
Zach Lanier is the Director of Research at Cylance, a company that uses artificial intelligence and machine learning to protect against malware, and his daily job is to act “adversarial” and find vulnerabilities in security networks. He’s been hacking devices since he was in elementary school and working in network security since high school. In preparation for the holidays he has some advice on how to decide which devices are secure, because as he says “a little due diligence in the age of connectivity goes a long way.”
Don’t buy a botnet device for Grammy
No one wants to be responsible for gifting a ticking hack time bomb. Which means it is worth doing a little vetting of your IoT purchase before giving it to your innocent grandma.
Don’t forget grandmas can be hacked too.
Luckily there are a few simple, and a few slightly more complicated, steps that you can take to check that your purchase isn’t going to be a window for hackers into the gift recipient’s life.
The first and easiest way to vet before you buy is to head to google and do a few cursory searches.
- First, google the specific IoT product you are hoping to buy. Read the reviews, make sure there aren’t any shady stories of hacked exploding microwaves, maybe take it a step further and google “’my device’s security” and see what comes up.
- Next do a google search for the company which made the device and include the word “cybersecurity.” It should be easy to learn if the manufacturer has had any cybersecurity issues in the past and, if so, how they responded. It’s also worth investigating how long the company has been in existence. If the company has been around for a long time with limited security issues it is probably a safe bet. On the other hand, if it’s a relatively new company your device is definitely at greater risk.
Next, it’s worth visiting the website of the device manufacturer to see how seriously they take their customers’ security. If the website doesn’t have a security/security response page that could be a problem.
What to do when someone gifts you an IoT time bomb?
What do you do when someone gives you a nicely wrapped IoT device? How do you make sure that device is safe to use in the same house your children are running around in?
Lanier says that after following the same steps above there are a few more simple, and a few more technical, steps you can take with your device in hand to ascertain its security.
To start there are a few simple red flags to identify. Lanier says that if the easy things are done wrong it’s safe to assume that many of the more complex security features might be missing too. As the saying goes, “where there is smoke there is fire.”
Below are a few simple security checks:
- If your device is wifi enabled, does the device support modern security protocols? The minimum barrier to entry security protocol on your device should be WPA2. If your device is using a WEP or WPA security encryption standard it might be smart to ask for a refund. Why does it matter what the acronym is next to the security encryption standard on your device? Standards such as WPA and WEP are older and over time have been rendered almost entirely insecure as a result of exposed vulnerabilities – using either one is analogous to leaving the front door unlocked.
- If the IoT device connects to your mobile device through an app it’s important to check how it connects. If the pairing process – connecting your device to the mobile app – doesn’t require you to put in a code, or the pin is overly simple it’s a bad sign. If once paired multiple other devices can also pair without reentering the code, again, a bad sign. Return.
- If the Iot device connects to a desktop or mobile web application again it’s important to look at how it connects. If the start of the url is http rather https (the more secure protocol), then your device is from the start making a less secure connection. Return.
- How does your device update? This is possibly the most important because devices need to update in order to patch vulnerabilities and protect against new types of security incursions. If vendors are not updating their products it shows a fundamental lack of interest in cyber security. Ideally devices update automatically – Lanier says leaving updates up to the user is a sure way to leave customers insecure. As a next best option, hopefully you can manually update your device. If there is an option to update manually, it is crucial that you regularly do so – if you won’t, don’t connect it. If there is no automatic or manual way to update a device, it is worse than garbage. Return it.
There are also a few more technical ways to evaluate the security of an IoT device. When Lanier gets a new IoT device he always buys one to use and one “to abuse.” He pulls the “abuse” device apart and uses a soldering iron to pull out its chips so he can evaluate the update process, firmware and operating system of his devices. For those of us not quite as handy as Zach there are still technical ways to check a new IoT device’s level of security.
Most companies – at least the ones that you should be purchasing your device from – will have their firmware available to download on their website (if not here is a overview of how to manually extract firmware). Once the firmware is downloaded you can use commercial reverse engineering tools like Binary Ninja, IDA pro, and radare2 to look at how your device’s software is constructed.
Once the firmware is reverse engineered you can again look for red flags:
- Is your device running an older version of Linux? If so this means that your device has vulnerabilities that have been exposed and fixed in later versions of Linux.
- Is your device using hardcoded encryption keys?
- Does your device’s firmware remotely update?
In the end, Zach says that, unfortunately, there is no “Star Trek Universal Tri-Corder” that can confirm that your device “checks out,” but following these steps to vet your new IoT devices will help secure the privacy and security of you and your family.