Internets of Things (IoT) devices are becoming increasingly commonplace whether in the home or workplace. However, they are by and large notoriously insecure.
This is widely acknowledged by the technology industry, government and even intelligence agencies. So why is security so poor and what if anything is being done about it?
Not all IoT devices are insecure. That said security flaws that do exist tend to arise during the manufacturing process. IoT device manufacturers are not security vendors.
As a result, they often make fundamental mistakes:
- Passwords are hard coded into device firmware meaning users can’t change passwords
- Web consoles used to control IoT devices don’t encrypt data
- Back doors are left open by the manufacturer’s developers when they are creating the software for IoT devices
- Pre-set default passwords are often very easy to detect and crack such as ‘admin’
- It’s not easy to apply updates to IoT devices to patch against vulnerabilities
- Security that does exist is often too complex for average users to manage
Why don’t manufacturers do something about it?
There are several steps that manufacturers could take to increase security:
- Ensure automatic device updates
- Design devices with security in mind
- Provide lifetime support
- Incorporate best security practise
- Give users the option to disable specific functionality such as peer-to-peer communications
- Incorporate IOT devices into regular security assessments
Adopting these practises means that manufacturers would need to adopt new business models. They currently operate on low margins and need to sell lots of devices to be profitable.
To adopt the points outlined above would require a lot of investment that either they don’t want to, or can’t afford to make.
Are people taking the issue seriously?
- Intelligence agencies have given testimony to government hearings about the insecurity of IoT devices, warning that they could lead to serious hacks that could in some cases even result in death.
- Hosting companies have been attacked using botnets that consists of millions of compromised IoT devices which hackers have infiltrated. These attacks have taken some of the web’s most popular websites down. In the wake of these attacks other hosting companies have sought advice on increasing security but have expressed reluctance to spend money on increasing their defences.
- Many consumers are aware of the issues but until people are hit where they are hurt, such as bank accounts being hacked, they are reluctant to take the issue seriously.
What about legislation to enforce security?
In theory governments could cooperate and introduce legislation to enforce security standards in IoT devices.
However this is unlikely to happen for a number of reasons:
- It could drive manufacturers to operate in rival territories
- It could create conflict with other nations
- It could cause economic conflicts
- It’s an industry issue and not a government issue
So what can be done?
It’s likely that large technology vendors and organisations who have an interest in seeing IoT security will come together to create a working body and set down security standards for IoT devices.
This will help drive security with relevant parties gradually adopting the standards. Those that don’t, run the risk of losing market share or selling their devices in countries where the market is not so large.
However, this will take time. And even if security standards are set down adoption will likely be relatively slow.
What is BullGuard doing?
In 2016 BullGuard acquired Dojo Labs. The Dojo is a smart network device that is plugs into a Wi-Fi router and it generates a view of all connected devices on a home network via a device called the Dojo pebble:
- All internet traffic on the home network is routed via Dojo, allowing it to secure the home network against cyber-attacks and protect the user from privacy breaches.
- Dojo discovers devices connected to the network, secures them and constantly analyses their network activity.
- A cloud platform is constantly updated with this behavioural information and with cyber security- related knowledge.
- When malicious activity or privacy breach is detected, Dojo notifies its owner through a mobile app, and in most cases automatically emits mitigates the risk.
- The Dojo pebble also provides simple colour -based safety indication using green, orange, and red lights.
Despite the widespread vulnerabilities of IoT devices BullGuard at least offers consumers the option of protecting their smart devices and home networks with innovative protection, one of the extremely few companies to do so.