Consumer IoT vulnerabilities: When interconnectivity means shared risks

IMAGE CREDIT:
Image credit
iStock

Consumer IoT vulnerabilities: When interconnectivity means shared risks

Consumer IoT vulnerabilities: When interconnectivity means shared risks

Subheading text
Thanks to an increase in smart devices like appliances, fitness gadgets, and car systems, hackers have a lot more targets to choose from.
    • Author:
    • Author name
      Quantumrun Foresight
    • July 5, 2023

    Insight highlights

    While the Internet of Things (IoT) industry continues to innovate, it is grappling with notable cybersecurity issues due to consumers neglecting to update default device passwords and manufacturers introducing untested features. These challenges are compounded by the lack of public vulnerability disclosures and companies not having a clear plan for handling them. Although there's some use of non-disclosure agreements, bug bounty programs, and Coordinated Vulnerability Disclosure (CVD) as risk management strategies, the industry-wide adoption of vulnerability disclosure policies remains low. 

    Consumer IoT vulnerabilities context

    Though there are advantages to devices like home assistants and smart security cameras, the IoT industry still has a long way to go in terms of cybersecurity. Despite advances in design and infrastructure, these devices remain vulnerable to cyberattacks. This problem is further compounded by the fact that many consumers do not know the best practices for upgrading their devices' operating systems. According to the IoT Magazine, 15 percent of all IoT device owners don't change default passwords, meaning that hackers can access 10 percent of all related devices with just five username and password combinations.

    Other security challenges are rooted in how these devices are set up or maintained. If a machine or software is left unsecured—for example, it can't be patched with new security updates or end-users can't change the default password—it could easily expose a consumer's home network to a cyberattack. Another challenge is when a developer closes down, and no one takes over their software or platforms. 

    Internet of Things attacks vary, depending on the machine or infrastructure. For example, soft- or firmware vulnerabilities can allow hackers to bypass electric vehicles (EVs)' security systems. Meanwhile, some IoT manufacturers often add new features to their devices or interfaces without thoroughly testing them. For example, something seemingly simple, like an EV charger, can be hacked to under- or overcharge, leading to physical damages.

    Disruptive impact

    According to a 2020 survey conducted by the IoT Security Foundation, one of the areas where IoT manufacturers were not doing enough was providing public vulnerability disclosures. A key way to improve the security of devices connected to the IoT is making it easy for researchers to report vulnerabilities they find directly to manufacturers. At the same time, companies need to communicate how they will respond once these concerns have been identified and what time frame can be expected for software patches or other fixes.

    To combat emerging cybersecurity threats, some businesses rely on non-disclosure agreements. Others entice researchers with bug bounties (i.e., paying for discovered vulnerabilities). There are also specialized services that firms can retain to manage disclosures and bug bounty programs. Another technique for managing risks is Coordinated Vulnerability Disclosure (CVD), where the producer and researcher work together to fix an issue and then release both the fix and vulnerability report simultaneously to reduce possible damage to users. 

    Unfortunately, some companies have no plan for handling disclosures. While the number of firms with vulnerability disclosure policies rose to 13.3 percent in 2019 from 9.7 percent in 2018, industry adoption has remained generally low (2022). Fortunately, there are increasing regulations mandating disclosure policies. In 2020, the US government passed the Internet of Things Cybersecurity Improvement Act, requiring IoT providers to have vulnerable disclosure policies before selling to federal agencies. 

    Implications of consumer IoT vulnerabilities

    Wider implications of consumer IoT vulnerabilities may include: 

    • Governments regulating IoT manufacturers to have disclosure policies and rigorous and transparent testing.
    • More tech companies forming associations to agree to common standards and develop unified cybersecurity protocols that can make devices interoperable and increasingly secure.
    • Smartphones and other personal consumer devices implemeting advanced multi-factor authentication and biometric identification to enhance cybersecurity.
    • Increased investments in electric and autonomous vehicle cybersecurity to prevent digital hijacking.
    • More eavesdropping attacks, where criminals take over unencrypted communication channels; this crime trend may result in more consumers preferring encrypted messaging apps (EMAs).
    • More incidents of social engineering attacks that take advantage of weak password protection, especially among users of older devices.

    Questions to comment on

    • How do you ensure that your IoT devices are well-protected?
    • What other ways can consumers enhance the security of their IoT devices?

    Insight references

    The following popular and institutional links were referenced for this insight: