IoT Security is Broken and Getting Worse
We are officially in the age of the “Internet of Things.” If you are unfamiliar with this term, like I was just a few months ago, it can be defined as, “the network of physical objects, devices, vehicles, buildings and other items which are embedded with electronics, software, sensors, and network connectivity, which enables these objects to collect and exchange data.”
While that definition seems all-encompassing, it does leave out the fact that anything that is connected to a network can be hacked.
That means, your devices that are connected to the internet, whether it be your security cameras, your smartwatch or your car, it can be manipulated by a third party with cruel intentions.
An example of what I am talking about would be Shodan, a search engine for the Internet of Things (IoT). Shodan recently launched a new section of its search engine that allows users to easily browse vulnerable webcams.
The feed includes images of back rooms of banks, kitchens, living rooms, swimming pools, colleges, laboratories and many, many other places with unsuspecting people in them from all around the world. The cameras are vulnerable because they use the Real Time Streaming Protocol to share video but have no password to secure the feed.
Shodan works like this: The search engine scans the Internet at random looking for IP addresses with open ports, in other words, looking for feeds that are not protected by passcodes. When Shodan finds an unprotected feed, it takes a screen grab and moves on, displaying the shot on its site.
While the privacy implications here are obvious, Shodan’s new image feed also highlights the pathetic state of IoT security, and raises questions about what we are doing to fix the problem. Why are things getting worse and not better?
The fact of the matter is consumers don’t value security and privacy. When it comes to a manufacturer creating a product, they know they can leave out the added security features and cut the price in half, making it more attractive to a perspective buyer.
Maybe, if a consumer was making an informed decision and forced the IoT companies to create more secure devices, then we wouldn’t have such problems, but that doesn’t seem to be happening. The companies are more than willing to let a consumer continue to make the same mistakes as long as they are buying their product.
Most consumers fail to appreciate the consequences of purchasing insecure IoT devices. Worse, the influx of insecure devices makes the whole Internet less secure for everyone.
So, what can even be done? The US Federal Trade Commission (FTC) has asked Congress for a federal data security legislation that would give the commission the authority to seek civil penalties for companies that don’t implement reasonable security. Rather than mandate highly prescriptive, technology-specific legislation, the FTC seeks a process-based approach that will remain valid even as technology continues to advance.
That sounds good, right? Eh. Some people are leery of too much regulation since it could discourage further innovation in the IoT space.
While there are tons of perspective solutions to the IoT problem, I feel like we’re in for a bumpy IoT ride over the next few years. We will continue to see devices in the news for vulnerabilities until something is done about the way consumers think about their privacy and the way companies create security within the products.
Until then, be sure to put a password on the baby monitor in your kid’s bedroom, you wouldn’t want to be a search result on Shodan.
Posted by Sydny Shepard on Jan 26, 2016