When Craig Williams' refrigerator broke, he was surprised by how common "smart" technology had become: The majority of appliances he found were Wi-Fi enabled with computers built in.
Typically, appliances are designed to last 10- to 15 years, but Williams — a director of security outreach at technology giant Cisco — did not want a device with a built-in computer, which tends to reach obsolescence much more quickly. In addition, he worried about security: Appliance manufacturers are typically not focused on updating their software nor adequately securing their systems.
For the average consumer, there are just too many unknowns with Internet-connected devices in the home, he says.
"For consumers, you have this computer sitting in your kitchen, you don't know what technology it is running," he says. "You don't know what version of Linux it is running. It's running an OS version you don't know about, with libraries that you don't know about, and at a patch level you don't know about."
The digital lives of workers and consumers are increasingly complex and companies more often than not have failed to step up with security solutions. Security firms continue to push consumers to secure the devices they use and the data they put out in the world, but consumers do not always have good options to protect themselves.
The data breach of Capital One put 106 million customers' and applicants’ financial information, including self-reported income, credit scores, and payment histories, at risk. Meanwhile, vulnerabilities in Internet of Things (IoT) devices, from Nest cameras to home routers, continue to proliferate, leaving devices and homes open to attack. And social engineering attacks against workers and consumers continue to be perniciously effective.
For security, "[p]eople’s active participation is a necessity," says Travis Witteveen, CEO of security firm Avira, adding that most people just need to follow some "simple Internet rules that have more to do with common sense than with technical knowledge."
Take updating software, for example.
Cisco found eight significant vulnerabilities in the IoT devices from Google's Nest Labs. A popular camera for tech-enabled homes, the Nest Cam IQ, uses a Nest-created technology called Weave. Cisco researchers discovered a smattering of programming errors in the IoT protocol, a pair of which could allow attackers to remotely execute code on the devices, the researchers stated in an alert published last week.
Consumers are at low risk from these issues: Google, which owns Nest Labs, quickly patched the issues and an update is already available. More importantly, Nest devices automatically update, downloading and applying the latest security patches.
Yet, while Nest devices are set to auto-update by default, other IoT devices, especially older hardware, are often not set to apply security patches. In addition, the manufacturers of the devices often do not respond quickly to issues found by security researchers.
This puts the burden of security on the consumer. While the vendor, in many cases, is adding computational capabilities to devices to gather data on the consumer, the consumer is paying the security cost. In its latest privacy report, Avira found more than 10 devices connected to the average home wireless network in the US, a large digital surface area that needs to be secured. Using network scanners that can detect vulnerable devices is now necessary, the company says.
This applies to data as well. The number of ways that attackers can monetize the information, and even combine the information for more effective attacks, had dramatically increased, says Avira's Witteveen.
Breaches have become more common, and because consumers have dozens of accounts, almost everyone has had at least one set of account credentials compromised, he notes. In addition, phishing attacks through e-mail have become increasingly sophisticated, with language and scenarios that are seemingly legitimate and often incorporating the data from breaches to make them more convincing.
"A phishing attack specifically crafted for a certain user, factoring in his interests, browsing behavior and personal data — such as name and marital status — has a much higher chance to succeed in getting the user to give away their credentials or download and execute malicious components," Witteveen says. "We expect attackers to already do profiling in order to find groups of people that are especially gullible for phishing attacks."
Vendors Must Step Up
Admonishing consumers to set their devices to auto-update only works if the devices have a complete set of security features and the vendor quickly patches. A decade ago, the makers of a smartphone based on Android would fail to patch quickly because updating the device's software required a complex process of creating a patch, getting approval from the device maker for the software change, and then submitting the patch to the mobile carrier. Smartphones more than two years old would often never see new updates. But that is not the case anymore, as most Android phones provide automatic software updates.
Consumers need to make security part of their buying decisions, experts say.
"When you pay a premium, you get that security that the device will be supported," said Cisco's Williams. "Consumers have not recognized that premium for security until the last couple of years. There was a time when a consumer would buy the cheapest device available, but now they are buying more expensive devices for the security and support."
- Capital One Breach: What Security Teams Can Do Now
- Mirai-Like Botnet Wages Massive Application-Layer DDoS Attack
- You Gotta Reach 'Em to Teach 'Em
- How Hackers Emptied Church Coffers with a Simple Phishing Scam
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "'Culture Eats Policy for Breakfast': Rethinking Security Awareness Training."