Every aspect of our lives is becoming ‘Internet-ready” and last week, we detailed some of the devices hackers have been able to use the Internet of Things (IoT) to steal our information or spy on us.
Both manufacturers and individuals have a responsibility to protect the information stored or transmitted by these IoT devices, and this article describes some of the reasons why so many devices remain vulnerable to attacks.
Regular Updates Needed
As the Internet of Things takes hold, there are more devices we need to remember to protect. However, even if users are super security savvy, the companies who create the IoT devices are far too cavalier about the risks. The main problem is that manufacturers don’t update their devices regularly enough, if at all. Therefore an IoT device, which was protected when you first purchased it, can quickly become unsafe as hackers find new weaknesses.
This used to be an issue for computers too, but automatic updates have helped lessen this problem. Companies are under a lot of pressure to get their devices onto the market quickly and as a result, they compromise on security. Even those who offer firmware upgrades often let this fall by the wayside when they focus on building the next device. This leaves customers with slightly out-of-date hardware that can become a security risk.
“The situation is made worse because many engineers tasked with designing and building systems are not experts in network protocols and even less versed in network security,” says Cesare Garlati, chief security strategist at prpl Foundation. “They may know how to put together hardware components, but implementing TCP/IP protocols is a rarefied discipline which requires expert knowledge and extensive debug and testing. While it’s unfair to expect mechanical and electrical engineers to shoulder this burden, the lack of subject matter expertise is leaving systems wide open to attack, something which vendors, regulators and manufacturers must carefully consider as the evolution of connected devices continues.”
If companies don’t follow a defined framework for security testing, they risk leaving consumers vulnerable to the possibility of a malicious attack. The Online Trust Alliance (OTA) studied every publicly reported vulnerability or privacy issue, from November 2015 through to July 2016, which related to a connected device and determined that all of them could have been avoided.
Nowadays, it is quite easy to keep your computer protected; however, automatic updates have become the norm in recent years, because the majority of users are too lazy to even complete the basic steps involved. Given that protecting the countless IoT devices we all own will be a much harder task than a single computer, this problem will only get worse.
You can’t rely on tech companies to provide protection. You need to take matters into your own hands. Consider how IoT devices could be used against you. Ensure you know what security features the device has. Also, keep in mind that whilst an IoT device from a small business will probably be cheaper, if that company folds, there will be no one around to patch its vulnerabilities.
In last week’s blog article, we mentioned the Samsung TV scandal involving the CIA and MI5 tapping into people’s TVs to spy on them. The main vulnerability that was exploited, was the out-of-date firmware on older TVs.
The Samsung TVs affected are these models from 2012 or 2013: From 2012: UNES8000F, E8000GF plasma, and UNES7550F. From 2013: UNF8000 series, F8500 plasma, UNF7500 series, and UNF7000 series. To find out which firmware version you have, go to the Main Menu, select Support, and then select Software Update.
The best way to protect yourself from dodgy companies, devious hackers, and government spies, is simply to disconnect your TV from the internet. If this isn’t enough protection for you, there is one way you can be absolutely sure no one is listening in – unplug the TV from the wall.
Companies Selling Data
Hackers are not the only threat to the Internet of Things. The companies who create and distribute IoT devices may also use these devices to steal personal data. An example of this, is the way BP and other companies are handing out Fitbits to their employees so that they can track their health and thus get lower health insurance premiums. Not only is it concerning that companies are monitoring the health habits of their employees, but what else could they be doing with the data they collect? Other businesses, like RadioShack, have been caught out trying to send or even sell data to other companies, which raises all kinds of privacy issues.
The bottom line is, “Think before you Sync!”