Cacagoo internet camera – recently outed by Avira as having serious security issues – is a poster child for how unsecure devices go to market unchallenged and unnoticed. The discovered vulnerabilities not only allow hackers to intercept and view recorded videos, they also enable them to manipulate the camera itself as well as other devices in the network. Ralph Nader would have termed this device unsafe at any (internet) speed. At each of the three major stages of moving from idea to your home network – design, search, purchase – this device was barely on the radar screen. But, it’s not just a Cacagoo issue, there are a flood of other devices on the market with such unknown or unpublicized vulnerabilities.
The smart device market is crowded — lots of products from a multitude of manufacturers. Under each manufacturer’s umbrella, there are many models with the same generic functionalities but with a raft of small variations. Add into this mix a number of new brands and a significant dose of white-label manufacturing – it is just difficult to know the precise situation with that really cool device.
After the debacles with the Ford Pinto or Chevrolet Corvair, automakers have had two reasons to clean up their act and launch safer vehicles. First, they can get hit with a direct fine or a mandated recall. Second, the negative hit to their brand and impact on sales of all their models can be huge as consumers make their voices heard.
But the situation where automakers launch a major model to great fanfare and an expected sales regime of seven years is so yesterday. Instead, we have a plethora of manufacturers rushing their smart devices to market. The model range also makes it nearly impossible for researchers to test each variant – even if they wanted to – leaving it unclear if previously identified issues have been fixed in similar products from the same manufacturer.
Reports of device vulnerabilities come and go. For a vulnerability to get much press coverage, it needs to be a device like Amazon’s Ring. Governments are generally not trying to recall vulnerable devices either – unless these devices are directly targeting children. In addition, there are only a few truly independent testing agencies such as Consumer Reports. Most publication reviews such as CNET, TheWirecutter, or PCMag generally focus on device functionality – does it actually blend – and not whether the device is secure. It’s also tough for dedicated security reporters such as KrebsOnSecurity to keep up-to-date with a name and shame strategy of listing makers of unsecure devices and their default passwords.
In short, there is some information available on the internet about specific vulnerabilities, but it is limited in its scope and breadth.
Just how a person falls into the sales funnel also impacts access to this technical information: The three major options are shopping at a brick and mortar store, directly via the vendor, or at an online market.
If shopping at a physical store, the potential customer is reliant on the salesperson for the latest technical information about each product. While that can happen, I doubt that it will happen consistently.
Buying directly from the vendor online will also limit access to bad news. Remember those issues with Ring leaking WiFi login details and its connecting cameras into a map for the police? The response might be, if you are lucky, a defensive post in the company blog.
Then there are online marketplaces like Amazon. The trend is for people do their shopping within Amazon, looking up generic terms such as security camera and Amazon proposing a range of alternatives. This positions the potential customer to wade through the reviews, looking at the mass number of reviews and their distribution – from highly negative to ecstatic — before putting the product in the basket. Just to point out, that Cacagoo camera has won four stars and an Amazon Choice rating. In addition, this is assuming that the e-marketplace is not trying to skew search results towards specific products.
The lack of information means that you as a potential gadget buyer needs to have a four-step plan to protect the security of your home network and personal data.
Keep calm, stay informed, and vote with your wallet.