Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
8/27/2019
09:10 AM
50%
50%

Consumers Urged to Secure Their Digital Lives

Security options for consumers improve as Internet of Things devices invade homes and data on consumers proliferates online.

When Craig Williams' refrigerator broke, he was surprised by how common "smart" technology had become: The majority of appliances he found were Wi-Fi enabled with computers built in.

Typically, appliances are designed to last 10- to 15 years, but Williams — a director of security outreach at technology giant Cisco — did not want a device with a built-in computer, which tends to reach obsolescence much more quickly. In addition, he worried about security: Appliance manufacturers are typically not focused on updating their software nor adequately securing their systems.

For the average consumer, there are just too many unknowns with Internet-connected devices in the home, he says.

"For consumers, you have this computer sitting in your kitchen, you don't know what technology it is running," he says. "You don't know what version of Linux it is running. It's running an OS version you don't know about, with libraries that you don't know about, and at a patch level you don't know about."

The digital lives of workers and consumers are increasingly complex and companis more often than not have failed to step up with security solutions. Security firms continue to push consumers to secure the devices they use and the data they put out in the world, but consumers do not always have good options to protect themselves.

The data breach of Capital One put 106 million customers' and applicants’ financial information, including self-reported income, credit scores, and payment histories, at risk. Meanwhile, vulnerabilities in Internet of Things (IoT devices, from Nest cameras to home routers, continue to proliferate, leaving devices and homes open to attack. And social engineering attacks against workers and consumers continue to be perniciously effective. 

For security, "[p]eople’s active participation is a necessity," says Travis Witteveen, CEO of security firm Avira, adding that most people just need to follow some "simple Internet rules that have more to do with common sense than with technical knowledge."

Take updating software, for example. 

Cisco found eight significant vulnerabilities in the IoT devices from Google's Nest Labs. A popular camera for tech-enabled homes, the Nest Cam IQ, uses a Nest-created technology called Weave. Cisco researchers discovered a smattering of programming errors in the IoT protocol, a pair of which could allow attackers to remotely execute code on the devices, the researchers stated in an alert published last week.

Consumers are at low risk from these issues: Google, which owns Nest Labs, quickly patched the issues and an update is already available. More importantly, Nest devices automatically update, downloading and applying the latest security patches. 

Yet, while Nest devices are set to auto-update by default, other IoT devices, especially older hardware, are often not set to apply security patches. In addition, the manufacturers of the devices often do not respond quickly to issues found by security researchers.

This puts the burden of security on the consumer. While the vendor, in many cases, is adding computational capabilities to devices to gather data on the consumer, the consumer is paying the security cost. In its latest privacy report, Avira found more than 10 devices connected to the average home wireless network in the US, a large digital surface area that needs to be secured. Using network scanners that can detect vulnerable devices is now necessary, the company says.

This applies to data as well. The number of ways that attackers can monetize the information, and even combine the information for more effective attacks, had dramatically increased, says Avira's Witteveen.

Breaches have become more common, and because consumers have dozens of accounts, almost everyone has had at least one set of account credentials compromised, he notes. In addition, phishing attacks through e-mail have become increasingly sophisticated, with language and scenarios that are seemingly legitimate and often incorporating the data from breaches to make them more convincing.

"A phishing attack specifically crafted for a certain user, factoring in his interests, browsing behavior and personal data — such as name and marital status — has a much higher chance to succeed in getting the user to give away their credentials or download and execute malicious components," Witteveen says. "We expect attackers to already do profiling in order to find groups of people that are especially gullible for phishing attacks."

While Avira makes the standard recommendation that consumers use firewalls and up-to-date antivirus to protect their devices from Internet threats, the company also recommends that home users regularly run a vulnerability scanner. Cisco's Williams goes so far as to use a network management platform aimed at small businesses to keep his network up to date.
 
For Internet accounts, online users must make sure they are not reusing passwords across different services to avoid a breach of one service leading to multiple compromises. Both a password manager and turning on two-factor authentication for important accounts are critical steps to securing accounts that are otherwise outside a user's control, Avira's Witteveen says.

Vendors Must Step Up

Admonishing consumers to set their devices to auto-update only works if the devices have a complete set of security features and the vendor quickly patches. A decade ago, the makers of a smartphone based on Android would fail to patch quickly because updating the device's software required a complex process of creating a patch, getting approval from the device maker for the software change, and then submitting the patch to the mobile carrier. Smartphones more than two years old would often never see new updates. But that is not the case anymore, as most Android phones provide automatic software updates.

Consumers need to make security part of their buying decisions, experts say. 

"When you pay a premium, you get that security that the device will be supported," said Cisco's Williams. "Consumers have not recognized that premium for security until the last couple of years. There was a time when a consumer would buy the cheapest device available, but now they are buying more expensive devices for the security and support."

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "'Culture Eats Policy for Breakfast': Rethinking Security Awareness Training."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
watsonj040
50%
50%
watsonj040,
User Rank: Apprentice
9/3/2019 | 8:20:52 AM
A very good post
It is indeed a very good write about consumers being tensed about their digital security.
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
7 Ways VPNs Can Turn from Ally to Threat
Curtis Franklin Jr., Senior Editor at Dark Reading,  9/21/2019
Security Pros Value Disclosure ... Sometimes
Dark Reading Staff 9/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I wish they'd put a sock in it.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16691
PUBLISHED: 2019-09-23
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2019-16707
PUBLISHED: 2019-09-23
Hunspell 1.7.0 has an invalid read operation in SuggestMgr::leftcommonsubstring in suggestmgr.cxx.
CVE-2019-16708
PUBLISHED: 2019-09-23
ImageMagick 7.0.8-35 has a memory leak in magick/xwindow.c, related to XCreateImage.
CVE-2019-16709
PUBLISHED: 2019-09-23
ImageMagick 7.0.8-35 has a memory leak in coders/dps.c, as demonstrated by XCreateImage.
CVE-2019-16710
PUBLISHED: 2019-09-23
ImageMagick 7.0.8-35 has a memory leak in coders/dot.c, as demonstrated by AcquireMagickMemory in MagickCore/memory.c.