Author: Al Hanson
Electronics are progressively integrating into our lives. These consumer devices that make our lives more streamlined and efficient are known as Internet of Things or IoT devices. IoT devices typically have sensors and computing ability that enable device to device connectivity. Devices such as refrigerators, cars, and wearable health monitors are becoming smarter and more connected, which contributes to the reasons they are permeating our society. Household appliances can connect with a user’s phone or car via the internet, providing seamless engagement. Smart watches that monitor fitness and health data can be shared via Bluetooth. Many IoT devices may have Siri or Alexa activated out of the box. While these features provide efficiency and convenience, they also access functions of the device that can collect data on their surroundings. These devices’ ability to gather data via cameras, microphones, and sensors introduces significant cybersecurity considerations.
Consumers Must Take More Responsibility for The Cybersecurity of Their Devices
Our lives are already packed with enough to worry about. People do not look forward to maintaining a higher level of cybersecurity awareness in their day-to-day lives; this is especially true when the tradeoff is convenience. Security interferes with processes otherwise defined by simplicity, such as logging into your mobile home security app. User frustration often grows alongside the complexity of security requirements. If solutions are not simple, users struggle to implement them.
So why is it that these devices come without an adequate level of cybersecurity? Why must we take additional precautions when operating our own appliances? IoT devices' limited compute resources inhibit their ability to run software capable of fully integrating robust security features. Additionally, devices may lack the memory capacity necessary to run basic security applications.
While some effects of breaches can be minimal to the users, there are a few repercussions that can prove to be much more dangerous. Prioritizing data security is critical to preventing cybercriminal attacks. Data theft is a serious concern when we discuss IoT cybersecurity, as personal data can be used to impersonate your identity, extort you out of money, and access your bank accounts. It is common to operate under the impression that the probability of being hacked is low - which it is - however, the consequences can be debilitating, both financially and personally. For the remainder of this blog, we will review some measures to ensure that your device and data are as safe and secure as possible. Dangers of Cybercrime
When sensitive information is stolen, it is sometimes marketed and sold in online marketplaces on the dark web. Purchasers of that information may look to use it to commit identity theft or for other illegal means. IoT devices are exposed to many of the same digital dangers as traditional digital devices however, they often present a larger and more vulnerable attack surface. If a cybercriminal accesses an IoT device, they may be able to take control of its functions and carry out operations through that device, executing commands with detrimental implications. Concerns over car hacks with the capacity to harm occupants are growing. The possibility of cars being hacked and commandeered to harm the occupants is disconcerting, but as cars become more connected to technology around them, the probability of this increases. Imagine the damage that could be inflicted if a car’s brakes were remotely disabled on a crowded freeway or in a school zone. Hackers could access the microphone on an Alexa or any other device of that sort that has a microphone. In 2016, Johnson & Johnson warned that “a certain brand of insulin pump could, in theory, be hacked by someone and deliver extra doses of insulin…”; although the possibility is “extremely low”, it is disconcerting that such a large company confirms the feasibility of attacks like this. More recently, in 2018, Wired reported on A New Pacemaker Hack [that] Puts Malware Directly on the Device. I am reminded of a scene in Mr. Robot, when Darlene was able to hack Susan Jacob’s smart home and fluctuate the temperature and other settings in her house, eventually forcing Susan to flee to a hotel, then allowing Fsociety to enter, and use her home as a makeshift base-of-operations.
Any device you use is vulnerable to adversary targeting. Before using and trusting any device, it is critical to consider the implications of poor cybersecurity implementation. What data are you willing to share? And if in the wrong hands, what could a bad actor do with it?
Government Efforts to Improve IoT Cybersecurity
Despite the current state of IoT cybersecurity, there are efforts underway to protect users. The Cyber Resilience Act, an EU Bill, has proposed a cybersecurity framework to include IoT requirements. It focuses on facilitating compliance mechanisms for hardware and software producers.
The European Union’s cyber resilience act aims to give consumers peace of mind when purchasing IoT devices, by building frameworks based on two fundamental device problems: insufficient software updates and the absence of device security standards. Many IoT products’ software is not maintained after consumers buy them, developers usually do not push out software updates that would perpetuate sufficient device cybersecurity. The second problem identified by E.U. policy makers say that consumers have no criterion to assess a device’s cybersecurity. In response, lawmakers codified a set of rules for companies manufacturing products with digital components. The E.U.’s Cyber Resilience Act created a framework for cybersecurity requirements that developers must meet. It established a “duty of care” requirement for the entire life of the product. The E.U. 's solution is slightly different from the regulatory approach the United States takes to IoT cybersecurity.The White House recently announced their intent to create a label for IoT devices that will establish mandatory labels for devices based on their level of cybersecurity. This will ensure consumers are aware of the products that have sufficient levels of cybersecurity before purchasing. The label will be similar to the “Energy Star” program label that displays the energy efficiency of appliances to consumers on a sticker posted on qualifying devices. The Administration is collaborating with the E.U. to develop corresponding standards so that cybersecurity products can be sold globally. The White House’s goal is to roll this program out in the Spring of 2023 and to empower consumers to make decisions with cybersecurity in mind. How to protect yourself
Overall, the most substantial difference you can make in the cybersecurity of your devices is to ensure that you are enabling all available security features. As technology continues to evolve, consumers will have no choice but to take more responsibility for their personal security posture. IoT devices are some of the most common vulnerable points for consumers and thus, some of the most critical to implement security controls on. The following are simple but effective actions users can take to protect themselves and their information.
First and foremost, ensure your devices have passwords enabled, and that those passwords are unique and difficult to guess or infer. A password should be no less than 8 characters long and contain at least one capital letter, one number, and one special symbol. Users can drastically improve their cybersecurity by making themselves harder targets for cybercriminal strong passwords are the easiest way to do that.
Enabling 2-factor authentication or multi-factor authentication, is another highly effective step for protecting user accounts and devices. Multi-Factor authentication adds an extra barrier for hackers to penetrate if they want to gain access to your device or account. This makes yourself a harder target and deters malign action from cybercriminals.
Promptly updating your device is part of proper cybersecurity hygiene and should be a consistent practice, especially if you own IoT devices. Some developers and producers of consumer tech devices regularly push out software updates to address security flaws. Updating your device ensures that you are operating with the highest level of cybersecurity.
Deactivating “Hey Siri” or “Ok Google” will prevent your device from inadvertently accessing the microphone while you are talking. To deactivate “Hey Siri,” go into the settings and look under Siri & Search to turn off Siri or under voice in the Android’s settings.
About the Author: Al Hanson is an Analyst on the security intelligence team at Krebs Stamos Group where he covers technology policy and trust and safety issues. Al is also the U.S. economy delegate to the 2023 G7 youth summit and a fellow at Al Fursail, an online platform providing resources on contemporary and historical topics pertaining to the Middle East and North Africa region.