Is Your Kettle Spying on You? The Reality of IoT Device Security

Written by

From internet-enabled home appliances to wearables like smart watches, connected devices are becoming ubiquitous in our daily lives. While the usefulness of a kettle connected to your home internet system is debatable, there’s little doubt that the technology within these devices is getting smarter. The question we should be asking though, is to what degree do these devices present a security risk?  

The Cost of Insecurity

Threat actors will always find clever ways to take advantage of new technologies and exploit overlooked vulnerabilities and this isn’t helped when 50% of devices shipped in 2020 were known to have security vulnerabilities. The inadequate level of security in consumer IoT products on the market has led to instances of hackers accessing networks via baby monitors and webcams being infiltrated and even the complete taking over of control of smart cars.

The supply chain plays an indispensable role in enabling the security of IoT devices throughout their lifecycle, from manufacturing all the way to distribution. However, with so much fragmentation, the big question is, who is responsible? Truthfully, everyone must hold up their end of the bargain by prioritizing security at each link in the supply chain. To ensure this happens, we need regulation across the supply chain to hold organizations accountable, otherwise we risk leaving gaping holes for criminals to exploit when people don’t play their part.

One notorious example of a supply chain attack occurred when a compromised IT infrastructure company, SolarWinds, shared an infected software update with its customers. Russian cyber-criminals were then able to access private company files via a backdoor in the update, risking the security of thousands of organizations, including government agencies and blue chip companies like Microsoft and Intel.

As data is exchanged between each link in the supply chain, particularly during device programming and testing, there exists an opportunity for bad actors to intercept and manipulate device functionality or inject malware. On top of this, there is a significant disconnect between hardware security and software security. There are various hardware security options out there, but it’s a huge task for companies to take advantage of them and it can take a month to get up and running.

With quantum technology on the way, malicious actors will be able to increase the effectiveness of these attacks with significantly more powerful computers at their disposal. However, businesses can mitigate the risk of quantum threat by adopting post-quantum cryptography security solutions, where cryptographic algorithms leverage this emerging technology to stay ahead of the attackers.

Importance of Collaboration for IoT Device Security

The implications of quantum technology are immense. As such, regulatory bodies play a pivotal role in setting standards and regulations for IoT security because they act as the glue between manufacturers and consumers, encouraging them to work together. For example, NIST has been working to develop a post-quantum cryptography standardisation process to address the threat since 2016.

However, it can be difficult to get everyone to sing from the same hymn sheet. Manufacturers aim for profitability, while consumers prioritize convenience, and regulators just want everyone to follow the rule book. Balancing these interests can be challenging and when this balance is off, it can lead to vulnerabilities which attackers can, and will, exploit for their own ends.

That is why it is so important that organizations pay greater attention to IoT security. In many cases, heads are buried in the sand, assuming someone else along the supply chain will fix the problem. With a good grasp of legislation and standards, it’s easier for organizations to evaluate the available technologies for improving IoT security and having certified guidelines in place will encourage companies to adhere to a recognized standard of security.

Security-by-Design

Malicious intent commonly takes advantage of poor design, but even unintentional leakage of data due to ineffective security controls can entail dire consequences for consumers and vendors. As such, it is vital that IoT devices and services have security designed in from the outset. We must embrace a philosophy of security-by-design, rather than trying to bolt it on as an afterthought.

This approach to developing IoT devices prioritizes security from the very inception of the product's design and development. It embodies a proactive mindset, where security considerations are an integral part of every stage of the device's lifecycle, from conceptualization to deployment.

Think of this like layers of an onion: the chip, the software, and the device. To achieve security, the chip needs to be certified, the way that the software uses the chip must be certified, and the device maker must implement these two layers in a way that doesn’t break the overall security model. As technology continues to advance and cybercriminals leverage this to expand their tactics, ensuring the maximum level of security at each point in the IoT lifecycle is the only way to effectively mitigate the risk of a breach.

The threat of a connected kettle might appear minimal but as we know it only takes one weak entry point for a breach to occur. With the possibility of quantum cyber-attacks on the horizon, malicious actors will already be preparing to take advantage. It’s more important than ever before that organizations get clued up and take control of their networks by embracing quantum-proof security measures now, if we want to stay ahead in the race against criminals.

What’s hot on Infosecurity Magazine?