How Internet of Things Companies Can Fix Their Security Mess
Experts point to three steps manufacturers of 'smart' devices can take to protect consumers
They were supposed to be smart. But it turns out that smart devices—the web-connected gadgets that can monitor and control our lights, our locks, our boilers, and even our cars—have a lot to learn.
Experts say that many connected devices, which make up the growing Internet of Things, or IoT, are putting consumers' privacy at risk.
Unfortunately, consumers have few tools to judge whether a router, a smart thermostat, or another device they buy was built with security in mind.
“Security is hidden, so it’s really hard to know if a device has good security features,” says Jason Hong, an associate professor of computer science at Carnegie Mellon University who studies the safety of IoT products. “It’s even hard for experts. It takes a lot of time and energy.”
Federal legislators are starting to look into the problem. In October, Sen. Mark Warner (D-Va.) sent a letter to federal agencies demanding “meaningful action” to combat the threats posed by IoT devices, and in November security experts told congressional hearings that regulation was needed.
But there's no need for Internet of Things companies to wait. Researchers surveyed by Consumer Reports say that companies can do more to make their products secure. In particular, they say, the three steps outlined below should be near the top of the to-do list for any IoT manufacturer.
“Many people think that cybersecurity involves a lot of sophisticated hackers and intricate defenses,” Hong says, “but a great deal of cybersecurity is rather basic.”
Avoid Default Passwords
Many smart devices are set with default passwords in the factory. And, often, it's up to users to switch to a unique, personal password once they get the product home.
But many of us don’t, even if we know better—a 2014 survey found that 30 percent of IT professionals stick with default passwords on devices in their homes.
If a consumer doesn't change such passwords, they present a major security hole. That's because it's easy for hackers to find the default passwords for many devices, including routers. (The Mirai botnet, which used security cams and their digital recorders to bring down dozens of popular websites in October 2016, hijacked devices that were still using default passwords.)
Some IoT device makers have tried to address the problem by setting up each unit they sell with its own unique password. So if two consumers both buy product "X," they'll have two separate passwords.
However, security researchers say that it's only a partial solution. Many of these unique passwords are based on algorithms that can be cracked by experts, in some cases in just a couple of hours.
Other devices have passwords that are indeed unique but hardly secure: Earlier this year, researchers found that a TP-Link router’s password looked secure at first glance but was simply the device’s media access control (MAC) number, an identifier the device broadcasts to anyone who asks for it.
But there is a simple solution: Require users to come up with strong, unique passwords, as though they were setting up an online banking or social media account.
“Every time you go to use the product, have the thing warn you that the password is still default," says Deral Heiland, an IoT specialist at Rapid7, an internet-security company. "If it’s constantly harassing you, you’re eventually going to change it.”
Another option: Simply don't let the user proceed with the setup process without creating a password. According to Heiland, several major Internet of Things companies that sell routers and other IoT devices for use in office buildings and other commercial spaces now force administrators to change default passwords. But this is still a rare feature in consumer IoT products.
If the information generated by smart devices—your whereabouts, images from inside your house, information about your health—isn’t encrypted, it could be intercepted by hackers and read. Encryption is widely used to protect important data, whether it's a bank's financial records or the contents of an iPhone. But it's often not employed on devices sold for use in the home.
“There’s an assumption made by a lot of manufacturers that the home network is somehow securely private. It’s not, and it leads to a trust relationship that isn’t earned,” says Kevin Holbrook, a principal partner with Momenta Partners, an IoT consulting and venture capital firm.
Internet of Things companies should also use encryption to ensure that any new software downloaded to a device is a legitimate update, and not a piece of malware.
“Updates should be digitally signed to ensure that firmware isn’t being tampered with,” says Craig Young, principal security researcher with the Vulnerabilities and Exposures team at Tripwire, an IT and security company.
“Encrypting passwords is also a good measure,” he says, “both on the device itself as well as when the password data is in transit” to a manufacturer's computer system.
In short: Experts say that the Internet of Things companies making and selling connected devices to consumers should encrypt everything.
As a positive example, Holbrook points to Nest smart-home cameras and thermostats, which he calls particularly “locked down.” The Nest cam uses a strong encryption algorithm called AES-256.
“We set encryption on by default, so users can’t make the mistake of forgetting to turn it on,” says Mehul Nariyawala, product manager for the device. “Basically, we are looking for any way that a user can make a mistake—like a router default password that hasn’t been changed—and then we try to design around those mistakes so that the camera isn’t vulnerable just because the user did not properly secure another device on the network.”
Holbrook and others say that's the approach other IoT companies should take—making products secure by design, rather than relying on consumers to pore through manuals and tweak the settings themselves.
Plan for Updates
Software has never been perfectly secure. Consider Microsoft or Apple, which send out patches to their computer operating systems month in and month out to fix newly discovered vulnerabilities.
Consumers should expect IoT software to get updates, too—but often smart devices are left stranded.
“One of the problems we’re seeing is new startups that just want to put their product together, make their money, and then they go away,” Heiland says. When Rapid7 evaluated nine babycams last year, it uncovered easy exploits such as hidden default passwords and a lack of encryption in nearly every device, leading to eight “F” grades and one “D.”
But after being contacted by the company, only one vendor, Philips, responded with a timeline for security patches to fix or mitigate the vulnerabilities. Others did not initially get back to the company. Rapid7 says it wasn't even able to locate one of the cam manufacturers, Lens Laboratories—and neither was Consumer Reports when we tried.
Experts say that Internet of Things companies should plan to support any product with security updates for at least 18 months to two years. And that's the bare minimum, considering that a consumer might use the same router or smart thermostat for years.
Ideally, security patches happen automatically so that users don't have to go hunting for any updates online, or take on a challenging installation process.
“IoT companies can proactively take steps to deploy better update mechanisms, which is a critical step to improving security,” says Ted Harrington of Independent Security Evaluators and an organizer of IoT Village, a series of workshops and hacking events at the annual DEF CON security conference. “One example is Tesla, which has built a mechanism into their products that enables easy updates.”
Like improvements to passwords and encryption, it's hard to argue against Internet of Things companies taking responsibility for security updates. Because when you buy an everyday product, it's reasonable to assume that it has been designed to protect your security.
Passwords & Firmware 101
Online privacy and security are huge issues facing a lot of people today. On the "Consumer 101" TV show, Consumer Reports expert Maria Rerecich explains why it's not just phones and computers that people should be concerned about.