Researchers Find 23 IoT Device Manufacturers' Lack of Security Disturbing
At the recent DEF CON security conference in Las Vegas, hackers taking part in the IoT Village tested the security of a variety of Internet-of-Things devices that are widely available to consumers. They found dozens of vulnerabilities, reinforcing the idea that IoT-device manufacturers need to do a better job securing their products.
In total, hackers found 47 new vulnerabilities affecting 23 individual devices from 21 separate manufacturers. Participants in the IoT Village released their findings to these manufacturers, with the hopes that patches will be issued to resolve the security issues. It’s not clear how many of these manufacturers will heed the warnings, however. In fact, it’s entirely possible that many manufacturers will ignore the research and continue to hastily push out IoT devices in order to meet the market's insatiable demand for them.
What makes these vulnerabilities worrisome is the fact that so many different types of IoT devices were found to be vulnerable. Consider this concerning list:
- Door locks and padlocks from vendors like Quicklock, iBlulock, Plantraco, Ceomate. Elecycle, Vians, Lagute, Okidokeys, Danalock.
- A wheelchair from an unknown vendor.
- A thermostat from Trane.
- A solar array management device from Tigro Energy.
- A smart lock from a vendor called August.
- The Belkin F9K1122 wireless range extender.
- The ZyXel NBG6716 wireless router.
If you happen to use any of these products, then you’ve got good reason to contact the manufacturer and ask about what steps they’ve taken to resolve the known security risk. The best case scenario you can hope for is that they’ve resolved the issue (or issues) and provide a patch. Conversely, if the manufacturer plays dumb, then you know they’re not being truthful, and you should consider switching to a more secure product.
Overall, even if you don’t use any of the products listed above, the findings of the IoT Village serves as a cautionary tale for anybody looking to implement IoT technology in the near future. Unfortunately, vulnerabilities found in IoT devices are a result of the high demand for these products. As mentioned above, manufacturers have been known to rush devices to market without fully testing the product’s security capabilities, putting consumers at risk. CIO explains it like this, “Even though there have been some efforts to draft security guides and standards for IoT vendors, the rush to bring new ‘smart’ devices to market will unfortunately mean that many of them will have critical flaws.”
As far as how critical a security flaw can be for an IoT device, it really depends on the device itself and the intent of the hacker. For example, a hacker with access to a thermostat can cause a heating system to fail, leading to pipe bursts. Additionally, a researcher from IoT Village went on record to say, "If you bought a used ASL-01 lock, any previous owner or guest of a previous owner could gain access to your home. If you bought a used lock on eBay said previous owner knows where you live."
Also, looking beyond the obvious threat of a hacker taking direct control of an unsecure device and manipulating its functionality, there’s the threat that virtually any Internet-connected device can be hacked, injected with malware, and be used as part of a botnet.
When it comes to buying and implementing a new IoT device for your business, one thing is for certain: you’re going to want to fully understand its capabilities and the potential risks it poses to your business. Otherwise, you may end up with a big problem that will leave your system vulnerable.