Kiri is Head of Data Scientist for Threat Intelligence & Overwatch at Mimecast. She previously worked in the public sector where she was responsible for creating systems to detect and prevent cyberattacks and fraud. Her academic background includes a PhD in Physical Chemistry and a Master’s degree in Physics & Astrophysics.
Home security cameras have recently fielded a spate of attacks affecting users across the U.S.; a particularly frightening recent news story describes how a Ring camera installed in a child’s bedroom was hacked and used to scare the eight-year-old girl. The hackers were able to watch the child through the camera and use the microphone to speak to the child.
According to the Washington Post, “Several Ring users nationwide have reported that their security systems were also infiltrated by hackers who harassed them through the camera’s two-way talk function.”
It is widely known that IoT devices are lacking in security and vulnerable to cyber risks and hacking. With the technology market moving at a rapid pace, companies are often in a hurry to get their products out of the door and into the market before their competitors, or before new technological advances render their product obsolete. However, some experts believe the growing spotlight on the inadequate security in IoT devices will force companies to build devices with security in mind.
“IoT device makers and deployers of connected devices will put plans in place to upgrade the capabilities they offer to ensure secure IoT systems,” said Charlene Marini, VP of strategy, IoT Services, Arm, in IoT World Today.
Unfortunately, this is not today’s reality. For most manufacturers, security is still at the bottom of the list of features. With a constantly evolving product range, there is no time or desire to develop patches even when vulnerabilities are identified. The device in this story was made by Ring, a well-known brand owned by Amazon, who state that they ‘take the security of our devices seriously’ and provide options like 2FA to help users secure their devices.
In fact, according to CNET: “Robust passwords and two-factor authentication are the minimum for decent security these days. But smart home companies can do more to protect users from these types of attacks. One easy fix: Companies could require -- rather than simply recommend -- that consumers use two-factor authentication when they log in.”
Why consumer IoT security is becoming a growing issue
One of the primary issues with IoT devices is that they are often shipped with default credentials, i.e. password = password. Consumers must make sure they change the default passwords.
This also goes for routers; consumers are the ones who have to secure the perimeter of their home networks. Another common issue is password reuse; reusing the same password is a common habit among most people, which opens up a whole new avenue of vulnerability for home devices. It’s critical to use a unique password for every account to stop hackers from reusing leaked or stolen passwords from other services. Like CNET suggests, use 2FA where possible. Even though the Ring device that was hacked had that option, the responsibility falls on the end consumer to set it up and make full use of the feature.
Incidents like this illustrate the bigger security challenge of consumer IoT devices. With most users viewing them as little more than household appliances, they simply aren’t considered to be a major point of vulnerability.
As more and more devices find their way into our homes and become more ‘invisible’ as they integrate into our daily lives, we need to rethink the way we view cybersecurity for these products. Even more importantly, we need cyber awareness training and education to take these lifestyle products into account and make sure people understand what they’re signing up for when they fire up their new router or the camera in their child’s bedroom.