As IoT takes center stage at CES 2016, security gets lost in the wings

Analysis: Now more than ever, toymakers and smart home device manufacturers have to put security first.
Written by Zack Whittaker, Contributor
Even internet-connected teddy bears and toys are hackable. (Image: file photo)

Ask almost anyone at this year's CES expo in Las Vegas, and you'll hear one phrase again and again: "Internet of Things."

And so it begins, the craze that takes the world by storm, rinse and repeat, year after year. Once it was smartphones, then it was tablets, wearables, and now it's the smart home and our connected lives.

At its fundamental level, the Internet of Things (IoT) are devices that connect to the internet. They can be anything from data-guzzling devices that monitor your physical activity, smart thermostats that monitor the outside air and adjust your home temperature accordingly, or appliances that can think on their own and order groceries while you're at work.

But when your house comes under attack from an unknown threat, the Internet of Things craze paints an entirely different picture.

Security as an 'afterthought'

As the interest in IoT continues to rise, so does the concern about privacy and security. And all too often, device manufacturers have the same problem: they're thinking too much about the product, and not enough about security.

Take VTech, the Hong Kong-based toymaker that late last year suffered a massive data breach, leading to the theft of thousands of kids' photos, chat logs, and other personally-identifiable information. The company willfully admitted its database was "not as secure as it should have been," leading to criticisms that the toymaker put the functionality of its toys ahead of basic device security.

"Security needs to be designed into the fabric of the service from the beginning. It cannot be bolted on as an afterthought," said Mark Nunnikhoven, vice-president of cloud research at security firm Trend Micro, at the time.

While CES has been on top of the IoT trend -- everything from smart cities to smart TVs and internet-connected cars -- there's been little to say on how these devices are going to stay safe from hackers and attackers.

A panel is scheduled for Wednesday to talk about the emerging threats and IoT.

'Catch of the day' for cybercriminals

The main question that needs to be answered is how devices collecting, storing, and sending data are protected from outside threats.

Of the big names, Panasonic has invested in its IoT security effort, as has Samsung with its new Gaia platform for its smart TVs. AT&T has also pledged to provide security for IoT devices. Other companies, like Dojo-Labs, have carved out a niche in the IoT security space by working with other major sensor and technology providers. Other firms have similar offerings in place, but they either need work or have yet to get off the ground.

But with already as many as four billion IoT devices on the market, which according to Gartner could surpass more than six billion by next year, some think the industry is coming in too late.

Deepak Patel, vice-president of Engineering at security firm Imperva. said IoT devices are "easily the 'catch of the day' for cyber criminals," because all too often these devices have settings and options that are available from a web address, or with basic and easy-to-exploit vulnerabilities.

Security first, functionality later

If you thought it couldn't happen to you, think again.

Just last year, security firm Rapid7 discovered a slew of baby monitors that included hard-coded credentials, allowing anyone with the right username and password in. The research highlighted a wider trend of not just baby monitors, but other IoT-connected devices, which are increasingly connected to business and enterprise networks.

"Even security-oriented devices such as CCTVs have been found to be completely broken," said Patel.

Only this week, Comcast's Xfinity home security system, which relies on IoT devices and sensors to monitor homes, was found to have a "fail open" flaw, which could allow an attacker to trick the system into thinking that doors and windows are locked and secured -- when in fact, they're not.

Tod Beardsley, research manager at Rapid7, noted a common issue, that companies are "delivering IoT devices without addressing the problem of an active adversary attacking these devices -- even in the case where the IoT device is designed to be a security product."

No matter which way you look at it: every company nowadays has to be a security company.

The slow-brewing interest at CES, the world's largest tech expo, certainly shows that there have been a valiant efforts to tap into the security space. But it's far from the industry-wide effort that some are calling for.

"Without a serious change in the security state-of-mind, it's just a matter of time until we see the first victims of the security flood caused by zombie toasters and microwaves," said Patel.

Editorial standards