Your Life Is the Attack Surface: The Risks of IoT

To protect yourself, you must know where you're vulnerable — and these tips can help.

Jason Haddix, Vice President of Researcher Growth at Bugcrowd

January 8, 2019

5 Min Read

Today, there are more connected devices than humans. The unprecedented growth of connected devices has created innumerable new threats for organizations, manufacturers, and consumers, while at the same time creating opportunities for hackers. The world has seen the risks of this firsthand: Internet of Things (IoT) devices now constitute the largest-scale botnets, able to take down major websites like Twitter, GitHub, and the PlayStation Network. The many ways a hacker could access this data is apparent and quite disconcerting. The first step to protecting yourself is knowing where you're vulnerable.

Connected Devices as the Fastest-Growing Attack Surface
A growing number of households now have an IoT hub — be it Echo or Google Home — a device that takes the place of or attaches to your wireless router and has permissions to do things on your behalf. One of the most immediate security concerns comes with this permission. If your device is set up to purchase things on your behalf, there is nothing to stop someone else within the microphone's listening range, even on your TV or radio, from commanding "Alexa" to buy something for you.

This issue extends to other personal devices as well. For home security cameras, it might be backing up or storing video images. For health tracking devices, it's personal health data such as heart rate, pulse, diet, etc. An Internet-connected stuffed animal was recently found to have exposed more than 2 million voice recordings of children and parents, as well as e-mail addresses and password data for more than 800,000 accounts. In other words, this seemingly innocuous data is highly personal on the individual level and therefore a great risk to individual security.

The Role of Policy and Defenders
Thus far, IoT has gone unregulated and largely unsecured, and given the rapid growth of IoT devices it's no surprise that these devices represent a major and growing threat — and a major opportunity for adversaries. The sheer number and types of the devices being networked and connected to cloud interfaces and on-the-Internet APIs is one the greatest challenges in security today. Each device has its own set of technologies, and thus its own set of security vulnerabilities. Additionally, some of these industries have never dealt with Internet-facing devices before, and their development staff is just not trained in the ways of web application security. High pressure, low awareness, and the absence of a governing body to police the market has resulted in an increase in attacks on these devices. That's why it's becoming imperative to implement global security standards.

Before the industry really starts inking policy, however, we'll continue to rely on hackers to identify vulnerabilities and ultimately improve the way the industry addresses potential risks. This group will be essential for improving the security maturity of the market and ensuring the implementation of security controls for IoT devices, such as toys, thermostats, and even smart cars, which provides a fascinating breeding ground for best practices.

How to Prevent Cyberattacks
There is a lot of work to do for manufacturers, policymakers, researchers, legislators, and companies that are releasing IoT devices, identifying risks, and creating regulations. And unfortunately, IoT extends far beyond household gadgets. From your car to your pacemaker and your Fitbit, any device that connects to the Internet is a potential attack surface.

While the broader security industry addresses these issues, how can you personally prevent cyberattacks in your own digital life?

  • Research your device before purchase: For any device you're considering buying that's connected to the Internet, determine whether the vendor is paying attention to security. Does it have security notes online? Has it had any security research directed at it before, and if so, has it responded well to that research? Use the answers to make a decision about which device to purchase. Amazon reviews and Better Business Bureau reports can be great indicators here.

  • Use strong Wi-Fi encryption: Securing your Wi-Fi at home goes beyond plugging it in and setting a password. The choices for encryption standards typically can be found on vendors' websites, so if you're unsure, it's a good idea to do some due diligence before choosing one. Implementing the most advanced encryption that your router can support (usually called WPA) is the difference between offering someone easy access to your home network and being secure.

  • Check the device for additional security configurations: While updating the device regularly will help avoid unnecessary breaches, it's also a good idea to ensure additional security configurations are in place if available. To find these, log in to the control panel of the device. In the settings section, there will often be additional controls. They can be cumbersome to set up but useful to keep you secure.

  • Disable features not being used: These features will vary by device, but an example would be your laptop's webcam, which could be a threat if it's not disabled or obscured, especially in light of numerous well-documented attacks. Being aware of all enabled features is a great way as a consumer to protect yourself against IoT hacks and malicious actors accessing your personal devices on your network or other places you use devices.

The Future of IoT Security
From the takedown of Dyn to the distributed denial-of-service attack on Brian Krebs' website, the industry has learned some major lessons around IoT security in the past few years. This is causing standards to be created that will help reduce risks. However, change takes time. IoT security is in the standards phase right now, which means that legislators haven't yet prescribed specific policies around what security devices need to have in place for manufacturers to ship them. Given this, consumers must take personal action and be aware of the risks.

Related Content:


About the Author(s)

Jason Haddix

Vice President of Researcher Growth at Bugcrowd

Jason is the head of trust and security at Bugcrowd. Jason works with clients and security researchers to create high value, sustainable, and impactful bug bounty programs. He also works with Bugcrowd to improve the security industry's relations with researchers. Jason's interests and areas of expertise include mobile penetration testing, black box Web application auditing, network/infrastructural security assessments, and static analysis. Before joining Bugcrowd, Jason was the director of penetration testing for HP Fortify, and also held the #1 rank on the Bugcrowd leaderboard for 2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights