The Internet of Things was not built with security in mind — a fact previously discussed on this blog here, and in the 2015 Internet of Things report. Now, thanks to IoT search engine Shodan, security professionals and curious bystanders alike can see how insecure these devices really are.
In an Ars Technica UK story earlier this week, security researcher Dan Tentler talked about Shodan’s latest search category, which allows paid users to rifle through vulnerable webcam feeds. “It’s all over the place,” he said, “practically everything you can think of.” According to the article, the cameras are using the Real Time Streaming Protocol which allows them to share video, but many have no authentication password in place.
The reporters covering the story found feeds containing private (or so they thought) images from people’s lives — everything from kitchens to classrooms, and even babies sleeping in their cribs.
Tentler insinuated that the lack of security in IoT devices, and most notably in the case of webcams, is due to the fact that manufacturers are in a “race to bottom.”
“The consumers are saying ‘we’re not supposed to know anything about this stuff [cybersecurity],” he said in the article, “The vendors don’t want to lift a finger to help users because it costs them money.”
The lack of consumer interest in securing the Internet of Things is a vulnerability that companies are ignoring every day; and as technology advances, the chances of closing that knowledge gap grow smaller. Another problem stemming from this lack of interest is the failure to acknowledge the pervasiveness of IoT in our lives. IoT doesn’t stop at webcams, it includes fitness devices, appliances, doorbells, toys…even medical devices like pacemakers, O2 concentrators, and respirators.
However, despite the general public’s lack of concern, there may be legislation on the way to right the security ship of IoT. Maneesha Mithal, associate director of the FTC’s division of privacy and identity protection, said in the Ars piece that “in recent years the FTC has prosecuted more than 50 cases against companies that did not reasonably secure their networks, products, or services.” The FTC has also published a best practices guide for IoT manufacturers, and is currently pushing for new laws that will punish companies with civil penalties for insufficient security.
In addition, the recently-formed Cyber Independent Testing Laboratory, led by former hacker Peiter “Mudge” Zatko, has committed to producing a “Consumer Security Reports.” From Zatko: “Our intention is to provide [consumers] with the information and tools they need, in a non-partisan fashion, and without profit incentives getting in the way of providing unbiased and quantified ratings of the software and systems they are purchasing.”
It remains to be seen whether these new initiatives will have an impact on securing the Internet of Things, but consumers can stay ahead of the curve by making informed purchasing decisions, and putting existing security controls to work, like setting passwords on their devices.