Nine Questions to Ask to Determine IoT Device Safety

7
2141

The holidays are almost upon us.  All around the globe, people are purchasing the latest and greatest gadgets as gifts. Consumers will be linking their new of Internet of Things (IoT) thermostats, doorbells, baby monitors, security cameras, home appliances and even GPS pet trackers to the internet in droves.

On the heels of the holiday season, the International Consumer Electronics Show will take place in Las Vegas, Nevada,  where device manufacturers reveal a whole new crop of IoT devices set to hit the market in 2017.  Amazon.com now has a team of “Smart Home” consultants who come to your house to help you wade through automation, Wi-Fi, ZigBee, Alexa and a sea of other “things” for your homes.

That’s a lot of IoT devices connecting to the internet!  A couple of years ago, I asked a group of people how many “things” did people have that were connected to the internet.  At the time, the largest number was 29 from any home user.  Today, that number is not uncommon. In fact, Gartner says 6.4 billion connected “things” will be in use in 2016, up 30 percent from 2015.  By 2020, it is estimated that the number of connected devices is expected to grow exponentially to 50 billion.

Smart city Internet of Things and Information Communication Technology

While IoT brings forth many benefits to consumers—from convenience to energy efficiency, to monitoring babies and locating lost pets—it also brings risk.  The Mirai botnet enslaved 152,000 IoT devices including: Smart TVs, refrigerators, and other smart household appliances.  These IoT devices were used them to take out the Dyn DNS Server this September.

[You might also like: Is Heat Your Thermostat’s First Priority?]

As a consumer, you might think… “why should I care if my device is involved in a DDoS attack? As long as it works, I don’t mind.” Well, some 20,000 residents in Finland found out the hard way why it matters, when their building’s IoT connected thermostats stopped functioning because the devices were enslaved to a botnet conducting a DDoS attack (By the way, it’s cold in Finland in November).

Whether you are a consumer considering a connected device as a gift for the holidays, or a reporter about to review the next wave of IoT devices launching at CES, we have put together a list of questions you should ask before diving in:

  1. What are you (the manufacturer) doing to protect devices from botnet enslavement?
  2. If the device does become enslaved, will it still perform its primary function?
  3. If it breaks during a DDoS attack, will you (manufacturer) honor the warrantee?
  4. What is your security vulnerability disclosure/handling process?
  5. What personal information is stored on the device? Which user accounts (e.g. email, cloud service, etc.)?
    • How do you protect that data?
  6. Which services are enabled by default?
  7. Does it need to be directly exposed to the internet (e.g. using UPnP to create a port-forwarding rule in the internet gateway)
  8. What is the procedure to upgrade the device firmware?
    • How do users receive notifications of updates?
    • Do you offer support for OTA (Over the Air) updates?
  9. Do you provide a web page/contact for security researchers to submit security reports? For example: https://nest.com/security/

Many manufacturers are not ready to answer these questions.  Not only do many manufacturers not include security features in their product development, it’s not even in their scope of thought.  What’s worse, we’ve seen some manufacturers who have command and control enabled by default for eavesdropping!

For the consumers of these devices, you may find that you’re faced with the Wild West of security concerns.  Without having a home firewall or Unified Threat Manager (UTM), how will you know that the devices you’ve bought aren’t spying on you or leaking your personal details? How many consumers even know what a UTM is, or where to purchase and install one?

Companies face the same challenges.  Larger companies segment the devices from their production networks.  The areas where rapid adoption is happening is where the greatest vulnerabilities lay.  We believe that industry standards must to come to the table in 2017.   Secure communication protocols and standards will become public standards and IoT manufacturers will have certifications to these standards.  We predict a major IoT breach is going to happen and perhaps that will be the catalyst toward securing the Internet of Things.

DDoS_Handbook_glow

Download Radware’s DDoS Handbook to get expert advice, actionable tools and tips to help detect and stop DDoS attacks.

Download Now

7 COMMENTS

  1. With havin so much content and articles do you ever run into any issues of
    plagorism or copyright violation? My website has a lot of unique content I’ve either
    written myself or outsourced but it seems a lot of it is popping it
    up all over the web without my permission. Do you know
    any methods to help stop content from being ripped off? I’d
    truly appreciate it.

  2. Simply wish to say your article is as surprising. The clearness on your publish is simply spectacular and
    i could assume you’re an expert on this subject. Fine
    together with your permission allow me to take hold of
    your RSS feed to stay up to date with imminent post. Thanks one million and please
    carry on the enjoyable work.

  3. I’m really enjoying the theme/design of your blog. Do you ever run into any web browser compatibility issues?

    A number of my blog readers have complained about my site not working correctly
    in Explorer but looks great in Firefox. Do you have any tips to help fix this issue?

  4. My brother suggested I might like this blog.

    He was totally right. This publish actually made my day.

    You can not imagine just how much time I had spent for this information! Thank you!

  5. My coder is trying to convince me to move to .net from PHP.

    I have always disliked the idea because of the expenses.
    But he’s tryiong none the less. I’ve been using
    Movable-type on a variety of websites for about a year and am worried
    about switching to another platform. I have heard good things about blogengine.net.
    Is there a way I can transfer all my wordpress content into it?
    Any kind of help would be really appreciated!

  6. One merthod off ensuring your high likelihood of
    winning big numbers oof money is by choosing what machine the suits you.
    New machnines where you can engage in casino games will
    often be quite expensive. You ccan play this fantasic slot game for
    just 1p annd findd ouut fantastic prizes andd hidden temples for many serious
    winnings.

LEAVE A REPLY

Please enter your comment!
Please enter your name here