No security standards for your smart devices (yet)
Many smart devices for the home – and the office – are just not secure.
There has been a flood of news stories about Internet of Things – and especially smart home – device vulnerabilities. While some may seem like far-out tabloid stories – for example, a hijacked smart baby cam talking to the mother – other events such as the Mirai botnet show how security issues in small devices can rapidly hit a global scale. It is hard to avoid the fact that many smart devices are just not very secure.
Let me count the security issues
Tucked away behind the shiny plastic of those new smart home devices, there are an array of factors that contribute to creating this insecure environment. Here are three primary factors – although there are more of them. They include:
- Hard-coded passwords
- Difficult to change default passwords
- Unpatched vulnerabilities
The ball is NOT in your court (but the foul is still on you)
With a home computer, you have the ability to practice good security hygiene. Among other things, this means having an AV in place and keeping apps and drivers updated (maybe even using an updater to make this. Then there is that important element of social engineering — you as the user not being fooled by and clicking on the most amazing web offer).
But with smart devices, you just can’t do most of these steps. In the best case, you can change the default password – but that’s about it. Most likely you won’t even know just who your smart TV is talking to and what it is talking about – and these devices are collecting a lot of potentially incriminating data about you and your activities. In fact, you wouldn’t even know if your CCTV camera is part of an international DDoS botnet gang.
Who you gonna call?
Security vulnerabilities built into many smart devices have kickstarted the debate about how government or industry regulations could help the situation. In the US, legislation has been introduced that would mandate certain standards be reached for devices to be purchased by the Federal government. This would create a knock-on security impact as device manufacturers would have to make a more secure device for Federal government customers – and this certification could be hawked to other consumers.
In the EU, the European Commission has its AIOTI – the Alliance for Internet of Things Innovation – a working group that would like to expand product labeling standards – such as currently show energy consumption – to include smart devices.
Yet another self-regulatory concept would harness independent testing organizations such as the American Underwriters Laboratories or the German Stiftung Warentest.
Time for some DIY security research
However, all of these options are still in their earliest stages – you are still on your own when it comes to shopping for a secure smart device. The only practical recourse available at this time is to do an online search to root out any security issues connected to a particular model or manufacturer. You might even take a look at the Krebsonsecurity shortlist of problematic devices. However, this DIY approach won’t uncover generic smart home components that have been built into an overall system.
Secure the connection with SafeThings
When it is impossible to adequately secure smart devices, it’s time to secure the connection to the home and monitor what they are doing. This is what we have done with our new SafeThings system. SafeThings stands at the gateway to your home’s internet connection and with the help of Avira’s AI and secure cloud technologies, sorts out who is doing what and looks out for any unusual activities. You can think of this as a smart cat door for your electronic smart pets. And because it’s mounted either within the router or at the ISP, there are no installation headaches for you as the end user.