Mobile Users Blissfully Unaware of IoT Dangers

Written by

Today, more than half of Americans use at least one mobile app to control an internet-of-things (IoT)-related connected device. Yet, security misconceptions persist; nearly one in 10 smartphone users say there isn’t a single thing a hacker could take from their phone that would upset them.

Research from Norton by Symantec has found that these consumers may be thinking about their texts, voice messages, pictures and videos, but maybe not so much their mobile app-controlled home security cameras and appliances.

“They see it as a device they talk to friends with and check on social media,” explained researcher Kevin Haley, in a breakdown of the findings. “They use it to easily manage their money. They don’t think anything bad could happen on a smartphone….Getting hacked is not something consumers worry about with the devices they use to monitor their children or to lock their front doors.”

For the 90% that do think about mobile security, globally, many consumers are uncertain about the security of financial apps (56 percent); and they can be wary about apps controlling home-entry systems (44 percent). In the US, many consumers would be upset if their financial information were compromised (54 percent), but connected-home security is lower on the totem pole of worry (6 percent). In fact, in the US, 39 percent of consumers say they would feel secure using a home entry app that allows them to open the door remotely for friends and family.

But what’s striking about this is that that means that nearly half aren’t worried about their banking information being hacked, and the vast majority (94%) are blithely unconcerned about their physical home security being compromised.

“We have seen an endless array of IoT devices present severe security weaknesses,” Haley said. “Most of the research into attacks on IoT devices has focused on attacking the device directly, but there is another way these devices are at risk: many IoT devices are controlled by mobile apps. Control someone’s phone and you can control their IoT devices. The risk to consumers moves from online and into their home—it’s personal.”

And the threat surface is expanding. In fact, the research found that 60 percent of US respondents use mobile apps to manage both connected devices and their personal finances. A quarter (26 percent) control their home entertainment components with a mobile phone, and 16 percent have connected home devices such as security cameras, alarms, home entry systems, baby monitors, light bulbs, light switches and appliances.

The bad guys know this and are going after the opportunity. In January 2016, Norton scanned the approximately 25 million Android apps in its database, and found identified more than 9 million malicious apps and found more than 16 million apps with potential privacy or intrusive behaviors. These apps can send sensitive information from your phone, including your account and device details, browser history, location and call logs from the device without encryption. The intrusive behaviors include adding browser favorites, putting up big banner ads, or changing desktop images or ringtones. Also, a full 40 percent of the 94 app stores scanned exhibited malicious behavior.

“The point is not to panic, nor is it to stop using these devices,” Haley said. “Mobile apps and IoT devices aren’t going away. We want the people who are not concerned about hacking to understand the risk.”

Norton recommends that consumers protect themselves by:

  1. Using a reputable mobile security app that scans apps and identifies potential vulnerabilities before downloading.
  2. Being aware of IoT devices rushed to market. They could have unaddressed security vulnerabilities.
  3. Keeping in mind that third-party app stores may not put apps through as much rigor as the official apps stores such as the Google Play Store or Apple’s App Store.
  4. Watching out for apps that ask you to disable settings that protect you from installing unsecure apps.
  5. Making sure you install the latest updates on your IoT device, whether automatically or when sent from the manufacturer.

What’s hot on Infosecurity Magazine?