Pwned By Your Possessions: Is IoT Worth The Trade-Off?

Retrograde fixes, contrary to popular opinion, are not a simple matter. The industry is now moving away from user-activated patching towards automated Over-The-Air upgrades on high-end devices but both approaches perpetuate the idea that ‘we can ship now/fix later’.

OTA is still a complex process and if the channel itself is not secured, manufacturers risk creating a direct connection to devices that could become a conduit for malware.

The weakest link

IoT devices are beginning to connect in ecosystems through the use of voice activated assistants and home hubs but security then comes down to the lowest common denominator.

For example, car manufacturers like BMW have promoted compatibility with voice activated assistants making it possible to unlock the car without the key.

This could see the security of the car now only as good as that offered by the voice system; if the threshold is too low, what’s to stop someone unlocking your car from outside the house?

As more things interconnect the attack surface grows; a problem that could be exacerbated by the emergence of LPWAN networks which could see remote attacks increase.

Today, you need proximity to compromise most devices but LPWAN will extend the ability to connect wirelessly over distance. It then becomes possible for mass attacks and we could see users held to ransom over their IoT, perhaps via their smart thermostat with utility supplies suspended.

Consumer groups and regulators are seeking to limit the impact and apply pressure but are hamstrung by old legislation.

The My Friend Cayla case used a surveillance law dating back to WW2 while the lawsuit against Vizio that saw it fined $2.2 million for tracking users without their permission was based on data protection laws. Similarly, In the UK we’ll be reliant upon the GDPR/Data Protection Bill, due to come into effect in May, which has already been criticised for failing to address IoT and big data concerns.

Compare this to industry-specific regulation currently being drafted in the US. The IoT CyberSecurity Improvement Act 2017 lays down minimal standards and the requirement for security certification, stipulating that support must be supplied for security patching and non-static passwords. Granted, it only applies to government department purchases but it’s a start.

For such legislation to cross over commercially, consumers will have to be more protective over their privacy. As a generation that’s seen that concept systematically eroded by social media I don’t see that happening anytime soon. Perhaps we are simply too happy to trade what should be confidential information for convenience.

Ken Munro is an ethical hacker and partner at Pentest Partners. You can follow him on Twitter @thekenmunroshow