Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
8/27/2019
09:10 AM
50%
50%

Consumers Urged to Secure Their Digital Lives

Security options for consumers improve as Internet of Things devices invade homes and data on consumers proliferates online.

When Craig Williams' refrigerator broke, he was surprised by how common "smart" technology had become: The majority of appliances he found were Wi-Fi enabled with computers built in.

Typically, appliances are designed to last 10- to 15 years, but Williams — a director of security outreach at technology giant Cisco — did not want a device with a built-in computer, which tends to reach obsolescence much more quickly. In addition, he worried about security: Appliance manufacturers are typically not focused on updating their software nor adequately securing their systems.

For the average consumer, there are just too many unknowns with Internet-connected devices in the home, he says.

"For consumers, you have this computer sitting in your kitchen, you don't know what technology it is running," he says. "You don't know what version of Linux it is running. It's running an OS version you don't know about, with libraries that you don't know about, and at a patch level you don't know about."

The digital lives of workers and consumers are increasingly complex and companies more often than not have failed to step up with security solutions. Security firms continue to push consumers to secure the devices they use and the data they put out in the world, but consumers do not always have good options to protect themselves.

The data breach of Capital One put 106 million customers' and applicants’ financial information, including self-reported income, credit scores, and payment histories, at risk. Meanwhile, vulnerabilities in Internet of Things (IoT) devices, from Nest cameras to home routers, continue to proliferate, leaving devices and homes open to attack. And social engineering attacks against workers and consumers continue to be perniciously effective. 

For security, "[p]eople’s active participation is a necessity," says Travis Witteveen, CEO of security firm Avira, adding that most people just need to follow some "simple Internet rules that have more to do with common sense than with technical knowledge."

Take updating software, for example. 

Cisco found eight significant vulnerabilities in the IoT devices from Google's Nest Labs. A popular camera for tech-enabled homes, the Nest Cam IQ, uses a Nest-created technology called Weave. Cisco researchers discovered a smattering of programming errors in the IoT protocol, a pair of which could allow attackers to remotely execute code on the devices, the researchers stated in an alert published last week.

Consumers are at low risk from these issues: Google, which owns Nest Labs, quickly patched the issues and an update is already available. More importantly, Nest devices automatically update, downloading and applying the latest security patches. 

Yet, while Nest devices are set to auto-update by default, other IoT devices, especially older hardware, are often not set to apply security patches. In addition, the manufacturers of the devices often do not respond quickly to issues found by security researchers.

This puts the burden of security on the consumer. While the vendor, in many cases, is adding computational capabilities to devices to gather data on the consumer, the consumer is paying the security cost. In its latest privacy report, Avira found more than 10 devices connected to the average home wireless network in the US, a large digital surface area that needs to be secured. Using network scanners that can detect vulnerable devices is now necessary, the company says.

This applies to data as well. The number of ways that attackers can monetize the information, and even combine the information for more effective attacks, had dramatically increased, says Avira's Witteveen.

Breaches have become more common, and because consumers have dozens of accounts, almost everyone has had at least one set of account credentials compromised, he notes. In addition, phishing attacks through e-mail have become increasingly sophisticated, with language and scenarios that are seemingly legitimate and often incorporating the data from breaches to make them more convincing.

"A phishing attack specifically crafted for a certain user, factoring in his interests, browsing behavior and personal data — such as name and marital status — has a much higher chance to succeed in getting the user to give away their credentials or download and execute malicious components," Witteveen says. "We expect attackers to already do profiling in order to find groups of people that are especially gullible for phishing attacks."

While Avira makes the standard recommendation that consumers use firewalls and up-to-date antivirus to protect their devices from Internet threats, the company also recommends that home users regularly run a vulnerability scanner. Cisco's Williams goes so far as to use a network management platform aimed at small businesses to keep his network up to date.
 
For Internet accounts, online users must make sure they are not reusing passwords across different services to avoid a breach of one service leading to multiple compromises. Both a password manager and turning on two-factor authentication for important accounts are critical steps to securing accounts that are otherwise outside a user's control, Avira's Witteveen says.

Vendors Must Step Up
Admonishing consumers to set their devices to auto-update only works if the devices have a complete set of security features and the vendor quickly patches. A decade ago, the makers of a smartphone based on Android would fail to patch quickly because updating the device's software required a complex process of creating a patch, getting approval from the device maker for the software change, and then submitting the patch to the mobile carrier. Smartphones more than two years old would often never see new updates. But that is not the case anymore, as most Android phones provide automatic software updates.

Consumers need to make security part of their buying decisions, experts say. 

"When you pay a premium, you get that security that the device will be supported," said Cisco's Williams. "Consumers have not recognized that premium for security until the last couple of years. There was a time when a consumer would buy the cheapest device available, but now they are buying more expensive devices for the security and support."

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "'Culture Eats Policy for Breakfast': Rethinking Security Awareness Training."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
watsonj040
50%
50%
watsonj040,
User Rank: Apprentice
9/3/2019 | 8:20:52 AM
A very good post
It is indeed a very good write about consumers being tensed about their digital security.
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Cybersecurity Team Holiday Guide: 2019 Gag Gift Edition
Ericka Chickowski, Contributing Writer,  12/2/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19645
PUBLISHED: 2019-12-09
alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.
CVE-2019-19678
PUBLISHED: 2019-12-09
In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the generic field entry point via the Generic Test Definition field of a new Generic Test issue.
CVE-2019-19679
PUBLISHED: 2019-12-09
In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the Pre-Condition Summary entry point via the summary field of a Create Pre-Condition action for a new Test Issue.
CVE-2019-19647
PUBLISHED: 2019-12-09
radare2 through 4.0.0 lacks validation of the content variable in the function r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an arbitrary write. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted input.
CVE-2019-19648
PUBLISHED: 2019-12-09
In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.