This is a member guest blog by Steve Bell from BullGuard – a leading antivirus vendor and founder member of IoTSF.
A lot has been said about the Internet of Things (IoT) and so much has been written that if ink was an ocean, it would have run dry. But there has been very little about consumer perceptions of IoT, which is why we wanted to give it a sounding.
We polled 6,000 UK residents asking them a range of questions, from and how they feel about the security of IoT devices. The results were not surprising in that many have begun to adopt IoT devices at quite a fast pace. However, 66% had ‘high concern’ about the security of their connected devices, and a surprising 72% do not know how to secure their router, a gateway for potential IoT hackers.
Even at this relatively early stage of IoT development, it’s fair to say that IoT has penetrated consumer consciousness as ‘connected devices’ and there’s quite a surge towards using these ‘connected devices.’
IoT, or connected devices as they are more commonly known, have gained a significant foothold. Over 25% of survey respondents said they are planning to buy IoT devices in the next 12 months.
And this is just the beginning. But as everybody in the industry is acutely aware, hopefully including IoT manufacturers, security is a bit of a burning issue, or rather, the lack of security.
Survey respondents are certainly aware of this and we suspect this has been informed by the relentlessly surging tide of malware that swamps the internet. The logic seems to be that if it’s connected to the internet there are going to be vulnerabilities and these could be exploited by hackers to gain access to the home network.
But interestingly IoT concerns ranked higher than anxieties about traditional security vulnerabilities. These high levels of concern may be informed by stories such as the hacker that cracked a web cam and began mouthing profanities at a baby in a cot. This particular story swept the globe and similar stories tend to gain a lot of traction in the press because of the ‘dramatic’ impact and the fact that IoT is a relatively new technology approach.
Barbie makes a scene
Some might even be aware of the Barbie doll exploit, which not only used a weak authentication mechanism that made it possible for attackers to monitor communications the doll sent to servers, but also that the servers were vulnerable to an attack that breaks HTTPS encryption.
Clearly, unless they have some grounding in technology, most people won’t think in terms of ‘Barbie, weak authentication and HTTP encryption attacks.’ They’ll just think ‘Barbie, connected to the internet, can be hacked.’
To counter these concerns we have developed a new BullGuard IoT Scanner, that allows users to check whether their IoT devices are directly accessible from the Internet and as such whether they are also vulnerable to hacking.
It uses data from Shodan.io, to scan for vulnerable smart devices. If accessible devices are found, whether security cameras, baby monitors, Smart TVs or other devices, they are flagged along with details of potential vulnerabilities.
An email report presents results in a straightforward way that anyone can understand. These scan results can help to diagnose problems further, and users can share notification of successful scans with friends and family to encourage them to protect their own smart devices. In short, IoT Scanner provides a sense of security and control, something that is largely missing in today’s world of IoT.
This is important because the survey revealed that IoT vulnerabilities have certainly penetrated consumer consciousness. That said, the reality is that people have largely accepted personal responsibility for protecting their desktop and laptop computers by installing internet security software. And this dynamic is also being extended to ‘connected devices.’
The mother of all hacks
This is borne out by the discovery that 44% of respondents said their antivirus vendor should be responsible for securing IoT devices. The thinking is clearly that if antivirus vendors are largely responsible for developing products that safeguard against myriad internet-delivered threats, this should also extend to connected IoT devices.
It’s an interesting point, and has deeper significance because of the current situation in which IoT device security is being questioned. The fear is, and it’s understandable, that unsecured IoT devices within an enterprise could lead to the mother of all hacks, breaches on a scale we’ve never seen before.
We’re certain this wasn’t in the mind of survey respondents when they answered these questions, but it does illustrate how the issue is certainly at the fore, whether it’s for consumers, businesses or industry.
BullGuard has created a free, downloadable IoT guide for consumers, which contains further information on the Internet of Things security along with help and advice on how to ensure connected devices are not visible to hackers.
Readers might be interested to learn that IoTSF has prioritised the connected consumer domain of IoT for initial work. In particular:
- WG2 – Best practice and guidelines for Connect Consumer products and devices.
- WG3 – Patching constrained devices.
- WG1 – Self-certification for technology suppliers.
You can see our current working groups here.
About the Author
Steve has a background in IT and business journalism and in the past has written extensively for both the UK national and trade press including The Guardian, Independent-on-Sunday, The Times, The Register, MicroScope and Computer Weekly among others. He’s also worked for most of the world’s largest IT companies in a copy and content producing capacity and has a particular focus on IT security. He writes regularly for BullGuard as a security expert and contributes extensively to the BullGuard blog.