It’s really hard to find the worst in IoT and smart device technologies – and that is a huge problem.
Differences in the way electronic products are made, marketed and purchased make it difficult to know about vulnerabilities and technical issues when it is really needed — before the items are purchased and added into your home network.
Yes, we’ve come a long way since the fabled Ford Pinto of the 1970s and 80s – the car whose exploding gas tank was a major news issue and secured it a starring role in the Top Secret comedy. Unlike the Pinto, smart device vulnerabilities that put your privacy and your network security at risk don’t cause explosions on the freeway.
The Cacagoo internet camera – recently outed by Avira as having serious security issues – is a poster child for how unsecure devices go to market unchallenged and unnoticed. The discovered vulnerabilities not only allow hackers to intercept and view recorded videos, they also enable them to manipulate the camera itself as well as other devices in the network. Ralph Nader would have termed this device unsafe at any (internet) speed. At each of the three major stages of moving from idea to your home network – design, search, purchase – this device was barely on the radar screen. But, it’s not just a Cacagoo issue, there are a flood of other devices on the market with such unknown or unpublicized vulnerabilities.
It’s crowded on the design and development stage
The smart device market is crowded — lots of products from a multitude of manufacturers. Under each manufacturer’s umbrella, there are many models with the same generic functionalities but with a raft of small variations. Add into this mix a number of new brands and a significant dose of white-label manufacturing – it is just difficult to know the precise situation with that really cool device.
After the debacles with the Ford Pinto or Chevrolet Corvair, automakers have had two reasons to clean up their act and launch safer vehicles. First, they can get hit with a direct fine or a mandated recall. Second, the negative hit to their brand and impact on sales of all their models can be huge as consumers make their voices heard.
But the situation where automakers launch a major model to great fanfare and an expected sales regime of seven years is so yesterday. Instead, we have a plethora of manufacturers rushing their smart devices to market. The model range also makes it nearly impossible for researchers to test each variant – even if they wanted to – leaving it unclear if previously identified issues have been fixed in similar products from the same manufacturer.
Are you doing a smart web search for device issues
Reports of device vulnerabilities come and go. For a vulnerability to get much press coverage, it needs to be a device like Amazon’s Ring. Governments are generally not trying to recall vulnerable devices either – unless these devices are directly targeting children. In addition, there are only a few truly independent testing agencies such as Consumer Reports. Most publication reviews such as CNET, TheWirecutter, or PCMag generally focus on device functionality – does it actually blend – and not whether the device is secure. It’s also tough for dedicated security reporters such as KrebsOnSecurity to keep up-to-date with a name and shame strategy of listing makers of unsecure devices and their default passwords.
In short, there is some information available on the internet about specific vulnerabilities, but it is limited in its scope and breadth.
Falling into the sales funnel for smart devices
Just how a person falls into the sales funnel also impacts access to this technical information: The three major options are shopping at a brick and mortar store, directly via the vendor, or at an online market.
If shopping at a physical store, the potential customer is reliant on the salesperson for the latest technical information about each product. While that can happen, I doubt that it will happen consistently.
Buying directly from the vendor online will also limit access to bad news. Remember those issues with Ring leaking WiFi login details and its connecting cameras into a map for the police? The response might be, if you are lucky, a defensive post in the company blog.
Then there are online marketplaces like Amazon. The trend is for people do their shopping within Amazon, looking up generic terms such as security camera and Amazon proposing a range of alternatives. This positions the potential customer to wade through the reviews, looking at the mass number of reviews and their distribution – from highly negative to ecstatic — before putting the product in the basket. Just to point out, that Cacagoo camera has won four stars and an Amazon Choice rating. In addition, this is assuming that the e-marketplace is not trying to skew search results towards specific products.
Hold onto your wallet until further notice
The lack of information means that you as a potential gadget buyer needs to have a four-step plan to protect the security of your home network and personal data.
- Forget impulse buying. Do not buy any smart device on impulse. It is critical to do your homework.
- Do a web search. Do some homework for each device category and the specific manufacturers to get an idea of the security landscape. Even if a reviewer does not find a specific vulnerability in a device, pay attention to issues such as default passwords and the ease of checking for firmware updates. These are canary in the coal mine signals that might be a sign of bad things to come.
- Assume issues are systematic. The truism is that all software is hackable. On one hand, how quickly a company responds to reported vulnerabilities shows that it takes security seriously. In addition, a company with a stream of vulnerabilities – or zero response – shows that security is not an issue and these problems will likely repeat.
- Keep your eyes open. Keep up to date about who is in your home network, what ports they have left open, and who they might be talking to. You have a range of options. For a quick overview, there is the Network Scanner in the Avira Antivirus Security Free for Android and Avira Mobile Security for iOS. For a more advanced look at what is going on in your network and unsecured ports, try the free Avira Home Guard for Android, iOS, and Windows. To get an even more advanced view of what is going on — and the ability to block unwanted intruders — soon you will be able to get the latest secure router from TP-Link with Avira-powered security.
Keep calm, stay informed, and vote with your wallet.