The current state of internet connected devices is somewhat precarious. Depending on what day it is and the publication you chose to read, it can be either scourge or savior.
Internet Connected Toys
Recently consumer groups have raised questions about the safety of connected children’s toys many of which are released with poor security by companies who have historically done questionable things in response to vulnerabilities and breaches (see Vtech). CloudPets for instance, a stuffed animal which allows children to record and retrieve voice messages from family members, failed to secure stored audio which led to the recordings being used for malicious purposes. Some retailers went ahead and removed the products from their stores only for them to show up on second-tier retailers’ shelves. Don’t think that CloudPets is alone though. Researchers have successfully turned other children’s toys into remote recording devices forcing the FBI to issue a warning to parents that these devices could put their children’s privacy and safety at risk.
Sentient Smart Speaker
It doesn’t appear to matter if you’re using an Echo, Google Home, or HomePod, privacy and security experts are all fearful of what these devices mean for personal and corporate security. Recently an Echo user reported to media outlets that the smart speaker in her home recorded a private conversation between her and her husband and then sent that conversation to one of her husband’s coworkers. Amazon acknowledged the incident and indicated that the “malfunction” was caused by a background conversation which activated the device. We look forward to seeing how the big smart speaker manufacturers pitch privacy and security going forward as many of them have expressed a desire to move into the corporate environment as business/personal/administrative assistants.
Thermostats and Cameras
With security cameras and HVAC systems being two early adopters of connected technology it makes sense these devices represent a high percentage of compromised connected devices. Badly written and often neglected DVR and camera software has made these devices susceptible to many types of attacks. Camera systems have become a favorite of botnet operators who hijacks them for use in DDOS attacks (see KrebsonSecurity DDOS). Part of the problem with DVRs though is people punching holes in their firewall to make them externally accessible. A simple search of Shdan.io in late 2017 for connected cameras and DVRs returned over 187,000 devices.
HVAC systems frequently come with their own set of problems: default usernames and passwords, hard-coded accounts and misconfiguration on the part of the installer have led to them being used as a point of entry in multiple high profile breaches.
Wait! This all looks like bad news.
The reality of internet-enabled devices (and the internet of things) is that you need to decide where and when it is appropriate to allow, prohibit, and restrict devices. It’s also important to recognize that many of the arguments against new technology were previously levied against laptops, tablets, and smartphones. They weren’t necessarily wrong either.
In a situation where you don’t want something recorded, it makes sense to prohibit recording devices from wherever the conversation would take place regardless of whether it is a bedroom or boardroom. If you need to make a device publicly accessible (like cameras or HVAC equipment) restrict its access to a VPN or only allow authorized traffic with an ACL. The logical next step is to restrict potentially susceptible devices to a segregated network where you can control both inbound and outbound traffic.
Just because a device makes some extraordinary claim of being “unhackable” or “built with security in mind” doesn’t mean you should use a wait and see approach. Build a plan to actively manage internet connected devices both from the perspective of access and what data is made available for them to collect and you will mitigate much of the risk currently associated to internet connected devices.