7 IoT Devices That Worry Security Experts

Every day, a large number of IoT devices that have not undergone rigorous security testing are connected to our lives. We must realize that this is a process of gradually accumulating risks. Just as we require vehicles on highways to comply with safety standards and undergo annual inspections to ensure traffic safety, there are no comprehensive product cybersecurity specifications and requirements for IoT devices on the information superhighway, and there is even less safety supervision of their operational performance. Various signs indicate that the threats of cyber attacks and privacy breaches in the field of smart IoT applications are rapidly developing.

The following summarizes 7 widely used IoT devices that pose significant security risks and give professional security personnel headaches:

Whether for urban streets, corporate facilities, or schools and hospitals, IoT cameras have become the mainstream application for our interconnected and monitored lives. Even without considering the massive privacy concerns arising from the leakage of surveillance videos, other security risks of IoT cameras have also come to light. The rise of the Mirai botnet and the DDoS attacks it caused is a typical manifestation of the threats posed by cameras, as attackers are adept at exploiting security vulnerabilities in IoT cameras to create bot armies for illegal attacks.

Security researchers indicate that IoT cameras are often riddled with various flaws, including the lack of authentication in the protocols used for streaming video and the lack of encryption protection for all communications between the camera, application, and server. These flaws not only lead to Mirai-style DDoS attacks but also open the door to targeted attack trends, including remote takeover of cameras and commercial fraud activities.

Did you realize that when a robot vacuum cleaner roams around rooms and offices, it may not only be cleaning dust but also mapping the layout of these spaces and transmitting that data back to the vendor’s cloud database? Many people may not be aware of this until now, as most do not think deeply about how a vacuum cleaner works.

But it is a fact. Just months ago, Amazon acquired Roomba’s manufacturer, iRobot, for a whopping $1.7 billion. This company is one of the largest in the world with detailed consumer physical space data. This incident, as another example of Amazon collecting IoT data, has raised alarms among privacy advocates. Robert Weissman, president of the consumer advocacy organization Public Citizen, stated, “Amazon’s move is not just about selling another device in its marketplace, but about gaining more details of our privacy in our lives to gain an unfair market advantage and sell us more products.”

“Hey, smart speaker, tell me, what are the cybersecurity risks of connecting you to the cloud?”

Major tech giants have successively launched smart speaker products, featuring numerous irresistible functions that even security professionals find hard to resist. Surveys show that many security professionals use various smart speakers, not only because they are fun but also because they make life convenient; a simple voice command can control lights, play music, etc. However, this convenience undoubtedly increases security and privacy risks.

Currently, the various potential risks associated with smart speakers have been fully exposed, from vendor eavesdropping to analyzing other consumer behavior, to being hijacked by malicious actors to monitor corporate activities. However, the industry still lacks sufficient technical means and standards for privacy protection in the application of smart speaker products.

Smart toilets are already widely used, and they are very convenient, making people’s lives more comfortable. In the future vision for smart toilets, scientists are starting to add more capabilities. They believe that people have unique biometric features on their backs, similar to fingerprints, which can be used by smart toilets to identify certain diseases at an early stage. Other ideas include toilets that can remotely screen waste and upload data to detect signs of diseases. A survey by Thomson Reuters showed that only half of the respondents felt comfortable using smarter toilets, and 30% stated that due to security concerns, they would do everything possible to resist connecting smart toilets to IoT systems.

Connected vehicle applications are currently the focus of attention in the IoT field, with many service providers vigorously promoting the benefits of this application, such as simplifying toll processes, recovering stolen vehicles, and achieving safe driving.

However, when it comes to other surveillance or tracking disruptions, smart connected vehicle applications undoubtedly open the door to various security and privacy issues, providing malicious actors the opportunity to illegally track and manipulate vehicles; moreover, when the connected vehicle system fails, it can lead to a multitude of vehicle availability issues.

It is worth noting that smart connected vehicle applications have begun to normalize and become permanent, and addressing the security challenges posed by these applications will be a long-term process.

Security vulnerabilities are no longer solely the concern of corporate security personnel; many homemakers must also face system firmware issues in smart microwaves and water heaters. Ten years ago, this situation might have sounded a bit “far-fetched,” but it is becoming increasingly common.

Earlier this year, a well-known microwave manufacturer inadvertently released incorrect wireless firmware updates across Europe due to human error by the system administrator, causing the microwaves to mistakenly think they were steam ovens, resulting in damage to tens of thousands of devices. Smart appliances like ovens, microwaves, and refrigerators may not necessarily pose the same enormous corporate risks as other IoT devices, but the above situation raises appropriate risk assessment questions: “Is the return on making these devices ‘smart’ really worth it?”

Mechanical locks are the most fundamental, tangible, and familiar security barrier in our daily lives. When people lock their doors, they hope to keep bad people out, but there is an old saying in the security industry: “Preventing gentlemen does not prevent rogues.” In the era of IoT “smart locks,” things have become even worse, as the tools for unlocking are no longer hooks but scripts and sniffers. As a device, smart locks sound cool and are convenient for the average person. However, these devices also pave the way for certain attack scenarios. Smart locks will have many seemingly advanced security features, including fingerprint readers, anti-peep touch screens, and app control via Bluetooth and WiFi. However, these connected features also make users feel uneasy about security, as attackers can physically locate and remotely control any smart lock connected to the vendor’s cloud infrastructure while also stealing users’ privacy data.

Among the widely used IoT devices, most have various security issues. Therefore, while enjoying the convenience brought by smart IoT devices, we must enhance our awareness of cybersecurity, understand cybersecurity-related knowledge, and learn cybersecurity prevention techniques. The following suggestions can help us use smart IoT products (systems) more safely:

1. Timely Upgrade Security Patches. The network environment is the foundation for the normal operation of the entire IoT. As ordinary users, we should promptly upgrade the firmware or software patches of our devices to cope with the constantly changing network attack methods and ensure the security and reliability of our IoT device applications.

2. Monitor Abnormal Changes in Network Traffic. You can use the router’s traffic management function to check the network data flow of IoT devices, to detect suspicious data transmission behaviors early and block network attacks in time.

3. Strengthen Identity Authentication Management. When users connect smart IoT devices to the network, it is recommended to use strong secret combinations to enhance identity authentication, defending against hacker cracking, unauthorized access, sniffing, and other attacks. Most IoT devices are connected to a central control device, and to prevent IoT devices from being compromised by botnets, it is recommended to regularly update the management password of the central device.

4. Avoid Using Open Source Component Products. Many IoT products adopt open-source code components to build their software systems for cost reasons, making it easier for attackers to find code vulnerabilities. Many security incidents also indicate that attacks on such products are often more frequent than on non-open-source products.

5. Purchase Products from Mainstream IoT Service Providers. When selecting smart IoT devices, it is advisable to purchase products from mainstream manufacturers, as large manufacturers usually have higher security requirements for their products and are capable of timely patching vulnerabilities when they are discovered.

https://www.darkreading.com/vulnerabilities-threats/7-iot-devices-that-make-security-pros-cringe