Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
8/27/2019
09:10 AM
50%
50%

Consumers Urged to Secure Their Digital Lives

Security options for consumers improve as Internet of Things devices invade homes and data on consumers proliferates online.

When Craig Williams' refrigerator broke, he was surprised by how common "smart" technology had become: The majority of appliances he found were Wi-Fi enabled with computers built in.

Typically, appliances are designed to last 10- to 15 years, but Williams — a director of security outreach at technology giant Cisco — did not want a device with a built-in computer, which tends to reach obsolescence much more quickly. In addition, he worried about security: Appliance manufacturers are typically not focused on updating their software nor adequately securing their systems.

For the average consumer, there are just too many unknowns with Internet-connected devices in the home, he says.

"For consumers, you have this computer sitting in your kitchen, you don't know what technology it is running," he says. "You don't know what version of Linux it is running. It's running an OS version you don't know about, with libraries that you don't know about, and at a patch level you don't know about."

The digital lives of workers and consumers are increasingly complex and companies more often than not have failed to step up with security solutions. Security firms continue to push consumers to secure the devices they use and the data they put out in the world, but consumers do not always have good options to protect themselves.

The data breach of Capital One put 106 million customers' and applicants’ financial information, including self-reported income, credit scores, and payment histories, at risk. Meanwhile, vulnerabilities in Internet of Things (IoT) devices, from Nest cameras to home routers, continue to proliferate, leaving devices and homes open to attack. And social engineering attacks against workers and consumers continue to be perniciously effective. 

For security, "[p]eople’s active participation is a necessity," says Travis Witteveen, CEO of security firm Avira, adding that most people just need to follow some "simple Internet rules that have more to do with common sense than with technical knowledge."

Take updating software, for example. 

Cisco found eight significant vulnerabilities in the IoT devices from Google's Nest Labs. A popular camera for tech-enabled homes, the Nest Cam IQ, uses a Nest-created technology called Weave. Cisco researchers discovered a smattering of programming errors in the IoT protocol, a pair of which could allow attackers to remotely execute code on the devices, the researchers stated in an alert published last week.

Consumers are at low risk from these issues: Google, which owns Nest Labs, quickly patched the issues and an update is already available. More importantly, Nest devices automatically update, downloading and applying the latest security patches. 

Yet, while Nest devices are set to auto-update by default, other IoT devices, especially older hardware, are often not set to apply security patches. In addition, the manufacturers of the devices often do not respond quickly to issues found by security researchers.

This puts the burden of security on the consumer. While the vendor, in many cases, is adding computational capabilities to devices to gather data on the consumer, the consumer is paying the security cost. In its latest privacy report, Avira found more than 10 devices connected to the average home wireless network in the US, a large digital surface area that needs to be secured. Using network scanners that can detect vulnerable devices is now necessary, the company says.

This applies to data as well. The number of ways that attackers can monetize the information, and even combine the information for more effective attacks, had dramatically increased, says Avira's Witteveen.

Breaches have become more common, and because consumers have dozens of accounts, almost everyone has had at least one set of account credentials compromised, he notes. In addition, phishing attacks through e-mail have become increasingly sophisticated, with language and scenarios that are seemingly legitimate and often incorporating the data from breaches to make them more convincing.

"A phishing attack specifically crafted for a certain user, factoring in his interests, browsing behavior and personal data — such as name and marital status — has a much higher chance to succeed in getting the user to give away their credentials or download and execute malicious components," Witteveen says. "We expect attackers to already do profiling in order to find groups of people that are especially gullible for phishing attacks."

While Avira makes the standard recommendation that consumers use firewalls and up-to-date antivirus to protect their devices from Internet threats, the company also recommends that home users regularly run a vulnerability scanner. Cisco's Williams goes so far as to use a network management platform aimed at small businesses to keep his network up to date.
 
For Internet accounts, online users must make sure they are not reusing passwords across different services to avoid a breach of one service leading to multiple compromises. Both a password manager and turning on two-factor authentication for important accounts are critical steps to securing accounts that are otherwise outside a user's control, Avira's Witteveen says.

Vendors Must Step Up
Admonishing consumers to set their devices to auto-update only works if the devices have a complete set of security features and the vendor quickly patches. A decade ago, the makers of a smartphone based on Android would fail to patch quickly because updating the device's software required a complex process of creating a patch, getting approval from the device maker for the software change, and then submitting the patch to the mobile carrier. Smartphones more than two years old would often never see new updates. But that is not the case anymore, as most Android phones provide automatic software updates.

Consumers need to make security part of their buying decisions, experts say. 

"When you pay a premium, you get that security that the device will be supported," said Cisco's Williams. "Consumers have not recognized that premium for security until the last couple of years. There was a time when a consumer would buy the cheapest device available, but now they are buying more expensive devices for the security and support."

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "'Culture Eats Policy for Breakfast': Rethinking Security Awareness Training."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
watsonj040
50%
50%
watsonj040,
User Rank: Apprentice
9/3/2019 | 8:20:52 AM
A very good post
It is indeed a very good write about consumers being tensed about their digital security.
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-6994
PUBLISHED: 2020-04-03
A buffer overflow vulnerability was found in some devices of Hirschmann Automation and Control HiOS and HiSecOS. The vulnerability is due to improper parsing of URL arguments. An attacker could exploit this vulnerability by specially crafting HTTP requests to overflow an internal buffer. The followi...
CVE-2020-8637
PUBLISHED: 2020-04-03
A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in dragdroptreenodes.php via the node_id parameter.
CVE-2020-8638
PUBLISHED: 2020-04-03
A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in planUrgency.php via the urgency parameter.
CVE-2020-8639
PUBLISHED: 2020-04-03
An unrestricted file upload vulnerability in keywordsImport.php in TestLink 1.9.20 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. This allows an authenticated attacker to upload a malicious file (containing PHP code to execute operating system com...
CVE-2020-10601
PUBLISHED: 2020-04-03
VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module allow weak hashing algorithm and insecure permissions which may allow a local attacker to bypass the password-protected mechanism through brute-force attacks, cracking techniques, or overwriting the password hash.