Smart devices aren’t very intelligent when it comes to protecting user privacy and handling security, according to a report by Internet of Things platform and service provider Pepper IoT and cybersecurity firm Dark Cubed.
The State of IoT Security Report reveals systemic security and privacy problems, which were discovered through testing of consumer smart home devices that are readily available from major retailers like Walmart. The report is available for download at Pepper’s landing page.
For the report, Alexandria, Virginia-based Dark Cubed had its experts test and analyze the security and the data communications for consumer IoT devices. Unlike other IoT security tests that attempt to hack the device, this test monitored and captured these devices operating as designed and developed by the vendors, and it revealed several anomalies and unexplained communications. You can see from the map above that simply operating 12 IoT devices leads to the distribution of a user’s data around the world.
“If we do not address the problem of insecure consumer IoT devices and the lack of respect for consumer privacy soon, it is going to be too late,” said Vince Crisler, CEO of Dark Cubed, in a statement. “Just because the space is complex and rapidly developing is not an excuse for retailers and regulators to turn a blind eye. In fact, the opposite is true. Retailers must consider security as a part of their buying processes and government must consider regulations that focus on consumer protections. We are passionate about these issues and excited to work with Pepper IoT in leading change.”
The report includes the security posture of nine IoT devices and applications to help retailers make informed choices that protect their customers.
Key findings of the report
- Device security is important, but the platform is much more critical: Connected devices require a sophisticated networked platform to manage communications, protect data, identify and patch vulnerabilities, and deliver a quality experience. Many (potentially most) consumer-connected devices available in U.S. retail today are managed by offshore platforms that have no motivation to protect user data or ensure high security standards.
- Patching will not fix systemic problems: Devices that are insecure from the moment they were installed have the potential to do immediate damage. These devices must be secure from day one to ensure protection of consumer data.
- The market must make security a priority: Several of the devices reviewed were painfully insecure, showing that neither the manufacturer nor its platform provider addressed security. These devices leak sensitive consumer data and open direct lines of communication to servers in countries of concern.
“Just as retailers wouldn’t sell unsafe toys, tainted lettuce or products with toxic chemicals, they have a responsibility to sell safe and secure IoT devices to consumers,” said Scott Ford, CEO at Pepper IoT, in a statement. “We are highly motivated to partner with Dark Cubed. Their report highlighted some of the key problems in the IoT market that we are solving. We are committed to working with major retailers and device manufacturers to leverage our trusted U.S.-based platform for secure and private consumer IoT management.”
So-called smart devices in the home are proliferating rapidly, from voice-controlled speakers to interactive doorbells to internet-connected refrigerators to remote-controlled light bulbs and electrical outlets. And while consumers know that internet of things (IoT) devices are useful and fun, it has become increasingly evident that consumers don’t know much about what these smart devices are doing behind the scenes.
What are they connected to, what information are they capturing, and who can see that information? And most importantly, can that information be misused by malicious actors? Dark Cubed set out to answer those questions by analyzing 12 connected devices aimed at consumers.
The findings raise the awareness of the security and privacy epidemic that exists now in consumer IoT devices that are currently installed and in use in tens of millions of U.S. households. Several of the devices were “painfully insecure.” A few of the associated smartphone applications that control these devices were “terrifying in the extent to which they can access our personal data.”
Dark Cubed said that there are a large number of IoT companies and startups, but many appear not to care about security, and neither, apparently, do the retailers who sell these devices to consumers. The researchers also said there is cause for concern about China’s role in IoT, and using cloud infrastructure does not mitigate security threats.
The companies said that patching will not fix the systemic issues they uncovered. But the reason that these devices are being shoved into the market anyway is because of the explosive growth of the IoT market. Prices for the devices are cratering, and that evidently leads many companies to disregard security.
Beyond the hardware, the companies said that the security of the entire IoT communications stack must be considered, including device firmware, data encryption to and from the device, the communications infrastructure governing (and securing) the communications, the associated Android and iOS applications, and the platforms that store consumer data.
Much like your cell phone carrier has built and manages a network to control your smartphone communications, the IoT requires a similar platform. While cell phone carriers are regulated to ensure consumer privacy and safety, a similar regulatory environment has not caught up with IoT, the companies said.
Lack of visibility into privacy and security is a clear and present danger: The testing found that there is no easy way for a consumer to know whether his or her device is safe, or if its communications platform is trustworthy. Worse, the companies saw examples of established brands being adopted by companies with strong ties to foreign counties including China.
“We believe that the distributors and retailers of these devices must conduct technical due diligence to ensure that communications are managed by a trusted and soon-to-be regulated U.S. company for the best chance at user security and data privacy, but this is clearly not being done by major retailers today,” the report said.
Kansas City, Kansas-based Pepper IoT offers a state-of-the-art full-stack IoT platform-as-a-service approach that it says delivers end-to-end security of users’ private information and data.