By Zach Lanier, Cylance
Every holiday season, we hear about countless retailers that are at high risk for fraud or for compromise of financial information. Credit card skimmers, EMV, and new chip cards are often a topic of interest, but oversight comes when parents don’t understand the risk of the actual items that they purchase and bring into their home.
Two government agencies, NIST and DHS, have set guidelines to increase awareness around the security issues associated with IoT devices — shedding light on potential risks for consumers and employees to be aware of now that we’re through the holidays. If you bought an Internet-connected toy or device during the holidays and it’s now in your home, there are numerous things hackers can target and gain personal information from.
Advertisement
While these new IoT guidelines will help require manufacturers and developers to adhere to some safety precautions, there’s still a large problem. How will these manufacturers be held responsible? We have guidelines and standards for security, but nothing is stopping anyone from creating an insecure device that can be hacked. We need consumers to be aware of the risk associated with these IoT devices and, in return, put pressure on manufacturers to ensure they’re secure. So while a company like Google may have the resources and tools to create safe IoT devices, smaller companies can create a WiFi enabled device, without any experience in security, let alone the potential vulnerabilities.
For example, I recently saw an IoT-type camera that was basically a playground for hackers — anything could have gone wrong. Every design decision was done wrong — now, with guidelines like this from the DHS and NIST, it’s crucial that manufacturers and designers are held to high safety standards before IoT devices hit homes.
As a starting point, I would advise that consumers take the following steps to stay safe around their new Internet-connected Christmas gifts:
- Look at the toy manufacturer’s track records;
- If the toy/product does require WiFi, make sure it supports modern WiFi security capabilities like WPA2;
- Determine what data the toy/product collects, i.e. credit card info, address, etc.; and
- Do they have a security or privacy policy? If so, read it.
In the upcoming years, it will be interesting to see what it takes for manufacturers and government agencies to start tackling these greater IoT security risks. I certainly do think we are heading in the right direction, and hope to see more guidelines, like those from NIST and DHS, to push us even further toward concrete security regulations and to increase overall awareness. It’s up to us as the end user to demand that manufacturers and designers take security risks into account while building these new toys. From my smart thermostat to my nephew’s i-Que robot, if a device in my home is collecting personal data and information, I want to know why and I recommend you do the same.
Zach Lanier is the Director of Research at Cylance. Prior to joining the company, he most recently served as a Senior Research Scientist with Accuvant Labs, and prior to that as a Senior Security Researcher with Duo Security. He has spoken at a variety of security conferences, such as Black Hat, DEF CON, CanSecWest, INFILTRATE, Countermeasure, and SummerCon, and is a co-author of the “Android Hackers’ Handbook” (Wiley, 2014).