IOTThis sponsored post is produced by Bitdefender.
The intelligent home is now an exciting reality — we’re replacing our electronics with devices that act as mini-computers, knowing our every move and curating web-based content to suit our preferences. In 2016, 4 million new “things” will become available to consumers, according to Gartner. From a security standpoint, we could be talking about 4 million digital door keys to private homes.
Every unsecured IoT device can act as an entry point to your household as well as your online assets. Intruders can even use the Internet of Things to open your front door from the inside — literally. While the trend grows unabated, more consumers are starting to worry about what a fully connected home means for their security and privacy.
Where do vulnerabilities reside?
Most devices are controlled via a smartphone app. For the device to work, it usually needs access to the user’s Wi-Fi connection. If a hacker can find a way to infiltrate it, he can wreak havoc. Breaking into a smart device doesn’t give the hacker much right away, but it can lead to the full compromise of the controlling smartphone, and worse, the user’s local network.
Routers, home automation systems, smart TVs, and other devices rely on cloud technologies and mobile apps. Thus, they inherit their security issues. Cloud computing comes with its own problems: loss of control over data, eavesdropping on data transfers from customers to cloud servers, legal and compliance issues, and so on.
Mobile devices themselves face poor security practices (no mobile security installed) and a well-known array of vulnerabilities that can stem from inadequate technical controls and malicious app downloads.
“The IoT brings network, application, mobile, and cloud technologies together in a unique ecosystem but, unfortunately, it seems to acquire the nastiest security traits of each, “ says Bogdan Botezatu, Senior E-Threat Analyst at Bitdefender.
Here are the six most common weaknesses to look for when considering buying a new IoT device:
1. Improper authentication
Credentials are essential in data security. However, the IoT revolutionizes the way we authenticate, adding biometrics — and sometimes not even asking users to authenticate. But if IoT devices are rapidly pushed to market without strong authentication mechanisms, they can be vulnerable to brute-force attacks — especially since leaks show many IoT devices are secured with basic passwords like “1234” or require no passwords at all. On the same note, some IoT cloud interfaces don’t support two-factor authentication.
2. End-to-end encryption
Transmitting data in plain text from the device’s sensors to the cloud is not a good security practice, yet some IoT apps have been found to suffer from faulty SSL implementations, exposing login credentials, tokens, and other sensitive data to traffic sniffing. Think of your smart thermostat or TV. It asks for your Wi-Fi password, which it often stores in plain text in its memory. Most devices are also naive enough to connect to any network that has the same name as yours.
3. Scarce updates
The IoT needs to push automatic software updates and — when appropriate — secure data at rest on the device. Updates perform a myriad of tasks, including patching security holes that can be exploited by hackers.
A high-end router from a leading brand had a one-year-old firmware vulnerability that enabled an attacker to take full control of the device. The worrisome fact is that the default installation said nothing about the importance of firmware updates. How many people check for firmware updates themselves?
4. Insecure web interface
Some web interfaces don’t lock users out of their accounts after a number of failed login attempts. They fail to ensure robust password recovery mechanisms, and offer no protection against cross-site scripting attacks and SQL injections. Attackers simply need to trick a user behind the router and firewall to click a link. If the web interface is vulnerable, it will provide the attacker with access to the web management interface.
5. Buggy software
Perfectly secure code is a pipe dream. Consumers want powerful software and they want it fast. This can lead to poorly constructed software that is released early and with little care for security. This can result in the inability to perform updates or backdoors that could be exploited by hackers.
More so since a significant number of Android-based smart TVs allow the installation of third party apps. A malicious link sent via Skype can easily trick the user into installing a backdoor. Some devices can also perform unrequested firmware upgrades — these can install malware instead of much-needed improvements.
6. Hardware failures
Preoccupied to create a sleek design, some manufacturers neglect hardware bugs. They can allow attackers to hard reboot the devices and their corresponding hotspots. Hackers can get in the middle and fool the mobile app looking to establish a connection. If the connection succeeds, the attacker can grab the username and password of the user’s Wi-Fi network.
Most IoT vulnerabilities are not new to the cyber-security industry. So far, we’ve seen experiments and proofs of concept, but it’s just a matter of time until attackers start mining crypto-currencies via connected refrigerators or until smart TVs are locked by ransomware. That’s why, going forward, security must be a forethought of every IoT application.
Luckily, users also have an option to boost their cyber-defenses. They can install a product to protect their entire network. Solutions like Bitdefender BOX offer a hardware device that sits between the home router and the internet-connected devices (PCs, Macs, Android and iOS tablets and smartphones).
These devices identify and block connections to malicious URLs, malware downloads, and suspicious packets leading to threats such as phishing, spam, and malware infections. They will also detect and install missing security software patches required by the operating system and locate the device if needed.
What’s more, when a computer leaves the user’s home network, a private line can be enabled to continue protecting the device on the go. It also keeps it safe from man-in-the-middle and other attacks when connected to unsecure networks, like public Wi-Fi hotspots.
Sponsored posts are content that has been produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. The content of news stories produced by our editorial team is never influenced by advertisers or sponsors in any way. For more information, contact sales@venturebeat.com.