In January, Consumer Reports published an open letter to 25 companies that make connected home cameras, DIY security products, and connected doorbells to “implement stronger security measures to adequately protect consumers and their privacy.” To explain why, CR recounted a few examples of devices getting hacked:
- A woman reported that a man had hacked her camera, which she only learned when the man started to harass the woman through the camera in her bedroom.
- A stranger also hacked a family’s camera to spew racial slurs at the family.
- A hacker demanded a man pay a ransom in bitcoin through his connected camera.
- A woman was awoken by someone shouting “wake up” through a connected camera located in her bedroom.
A family learned that their home cameras had been hacked only when a stranger’s voice yelled through the camera to “Come here. Come here.”
This was just a sampling of reports, the letter explained, from December 2019 alone.
The letter didn’t make it into Wired’s history of the Internet of Things (IoT), but it was a significant moment in a worldwide trend that is still gaining momentum. Consumer Reports, the nonprofit product testing and research organization, joined the movement to require greater security in connected devices in 2018, when it began factoring security into its product reviews. Companies like Amazon and Microsoft are pushing security as well, because the IoT has been the Wild West for too long.
Exponential Growth in the Number of Connected Products
No one knows how many connected devices are in use today. Estimates range from a few billion to more than 20 billion. Guesses for the next five years reach as high as 75 billion. With growth in every sector — home, office, medical, manufacturing, retail, automotive — that estimate might well prove too low.
There is still time to get in on the IoT boom, but companies that are on the sidelines or in early stages of ideation need to account for new demands related to security that could affect speed to market. Consumers are increasingly aware that every insufficiently secured IoT device is a potential threat.
Firmware, the permanent software embedded in a device, “is a commonly unprotected attack surface that hackers use to get a foothold in a network,” warns cybersecurity news site DarkReading.com. “An unsecured IoT device is essentially an unlocked front door, which means that once attackers take over an IoT device, they can move laterally into a corporate network.”
The Rise of Botnets, "Seeding" in the Supply Chain
Unsecured devices can also be conscripted into massive botnets like those that hackers have used to take down Twitter, Spotify and other major sites. Attacks like this inspired Azure Sphere, Microsoft’s application platform with built-in communication and security features for connected devices. Azure and Amazon Web Services’ IoT Core, a managed cloud service for connected devices, require digital certificates in every device to ensure end-to-end security.
Even supply chain security is an important consideration for manufacturers of IoT devices. In 2018, Bloomberg first reported that during manufacture in China, tiny microchips were secretly added to some American-designed servers that are commonly used in U.S. intelligence and Department of Defense networks. According to the report, “One government official says China’s goal was long-term access to high-value corporate secrets and sensitive government networks.”
This was an example of “seeding,” or inserting malicious hardware or software into a device during manufacturing. Seeding is less common than “interdiction,” which refers to tampering with finished devices during shipping. Both are high-risk attacks but may become more common as the potential rewards grow. Microsoft’s security blog has posts with more on supply chain security. The National Institute of Standards and Technology’s C-SRM (Cyber Supply Chain Risk Management) program offers detailed advice for mitigating these and other related threats.
Cybersecurity and IoT Legislation Looming
In 2018, California became the first state to pass a law requiring “reasonable” security features on every Internet-connected device sold in the state. The law went into effect this month. A bill introduced in the U.S. House and Senate in 2019, the Internet of Things Cybersecurity Improvement Act, would mandate security standards for IoT devices purchased by the federal government. In the U.K., legislators are considering aproposal that would go much further, requiring unique passwords, manufacturer-based points of contact to report vulnerabilities, and clear statements about the minimum period in which the device will receive security updates.
This information is not meant to dissuade companies from moving into or expanding their business to include connected devices. The upside is undoubtedly enormous. But manufacturers new to this space would be wise to find an expert partner like Nottingham Spirk and stick to existing tech frameworks, like the Amazons and Azures of the world, instead of trying to do it on their own.
Contact Nottingham Spirk to discuss how your organization can take innovation to the next level.