In August last year, Mark Barnes, a security researcher at MWR InfoSecurity, revealed that the 2015 and 2016 models of Amazon Echo smart home digital assistant featured vulnerabilities that could be exploited by hackers to turn them into spying tools.
Barnes explained that hackers could gain remote access to an Amazon Echo device, stream live microphone audio to remote services without alerting users, and steal customer authentication tokens. He added that the vulnerabilities were borne out of design flaws, namely exposed debug pads on the base of the device and a faulty hardware configuration setting and therefore, could not be patched using software updates.
Even though Amazon fixed both design flaws before introducing the 2017 model of Amazon Echo, it is a well-known fact that many Internet-connected device manufacturers do not give much priority to the physical security of such devices, even during the development stage, and therefore do not spot certain vulnerabilities that impact the privacy of users.
"Physical attacks should also be incorporated into any security assessments as early as possible to increase assurance of the product and save money on not having to produce new hardware prototypes later in product development," Barnes said.
Consumers least worried about cyber security
Even though the UK government, organisations such as the National Cyber Security Centre, the Information Commissioner's Office as well as security experts frequently ask the public to check security credentials of IoT devices before purchasing them, very few citizens actually treat cyber security as a parameter while making their buying decisions.
A survey of 1,000 UK consumers by Thales eSecurity has revealed that if the price is right, 49 percent of those who did not yet own digital assistants are willing to purchase a digital assistant on Amazon Prime Day, with a majority of them setting their sights on the Amazon Dot.
Of those who are not interested in purchasing an Amazon Dot or Siri, only 20 percent are not doing so due to security concerns. The survey revealed that 68 percent of consumers already use a digital assistant and among these consumers, as many as 57 percent maintain the default settings on their devices and 40 percent do not know how to personalise security settings at all.
“On the whole, digital assistants are still used in a relatively low-risk way. 84% of digital assistants are connected to two or fewer devices, and only 9% of those surveyed said they are aware of use in their workplace,” said John Grimm, senior director of IoT security strategy, Thales eSecurity.
“However, as consumers begin to connect to more devices while still maintaining the default security settings, the risk and vulnerability will only increase. As such, it’s critical that consumers purchasing these devices really understand how they work and ensure that they are getting their desired level of security and privacy by personalising the security settings.”
While it is understandable that consumers have the right to take advantage of juicy deals offered during periods such as Amazon Prime Day to bring the latest gadgets to their homes, they also need to consider the overall impact of such devices on their privacy and security in the long run.
This is because IoT device manufacturers give little thought to security concerns while designing and developing their sleek new products. According to statistics released by digital security firm Gemalto last year, the amount of money that IoT vendors in the UK invest in device security is the second lowest globally, with just 9% of their resources committed towards cyber security.
Considering that almost next to nothing is being spent on their security, devices sold by such vendors also rank poorly when it comes to encrypting customer data. Gemalto stated that only 52% of all data captured on IoT devices was encrypted in the UK.
IoT devices still at risk
Research by security firm Check Point also revealed that as many as a million organisations around the world were affected by a botnet attack last year that could take control over IoT devices like internet routers and remote cameras easily. So far, Botnet-led malware attacks on IoT devices have affected 49% of healthcare organisations, 82% of manufacturing, 76% of retail and 85% of government-owned or issued IoT tech.
The need to make IoT devices cheaper, more accessible and more user-friendly has forced IoT-device makers to pay less heed to security. "It’s not always going to a tech guru installing; as this technology becomes more widely available, the average user needs to be able to order, receive, (pre)setup and forget as quickly as possible to make it desirable for the untechnical user to embrace.
"All of these features make the perfect recipe for disaster- one we have seen before, we will see again, and one which, worryingly, we will continue to see until security becomes a minimum standard for any internet connected device," said Mark James, Security Specialist at ESET.