Hyperconnected CES gadgets highlight growing Internet of Things security threat

It may not have spawned any genre-shattering innovations, but this year's International CES 2016 exhibition in Las Vegas made one thing eminently clear: the Internet of Things (IoT) is here and everything is, or soon will be, connected. And, on queue, the security community is rushing to help ensure that reports of hackable smart TVs and other networking-enabled devices don't drive a new growth industry in hacker circles.

CES was filled with smart-home devices such as the LG Signature Refrigerator and Samsung Family Hub Refrigerator, with smart control systems from the likes of Tado. Even paintball masks were getting connected.

LG's tablet-connected Hom-Bot Turbo+ robot vacuum can stream live video to a smartphone or tablet, and doubles as a security camera; Sony's Multifunctional Light integrates motion, temperature, and humidity sensors as well as speakers, a microphone, and connectivity to other devices.

Even the best Connected Home Product category winner, Cassia Networks' Cassia Hub, was based around improving in-home connectivity, extending Bluetooth range to 300m and supporting the connectivity of 22 Bluetooth devices.

The security of connected TVs has become a particular concern, with recent reports that Android-based TVs suffer from an old vulnerability – and can be forced to run malicious code – reinforcing functionality-based privacy concerns raised a year ago.

Security specialists have worked overtime to explore vulnerabilities in connected-TV products, with Check Point Software Technologies publishing its analysis of “severe” vulnerabilities in the EZCast Smart TV dongle that would allow attackers to gain full access to a subscriber's home network.

For its part, Vectra Networks highlighted its success in hacking and reprogramming some Wi-Fi security cameras to serve as permanent network backdoors.

“Most organisations don’t necessarily think of these devices as miniature computers, but essentially they are in that they can still give attackers access to sensitive company information, particularly because they are connected to the corporate network,” said Vectra Networks CSO Gunter Ollmann in a statement.

“Unlike the computers people regularly interact with, these devices do not have the processing power or memory to run antivirus or other security software. Since they don’t have usable persistent storage, attackers use NVRAM to store the configuration and flash ROM to store the malicious code.”

WatchGuard was among the many companies that picked up on the growing IoT threat, expecting that 2016 would see a surge in proof-of-concept attacks “that permanently modify and hijack the firmware of IoT devices”. Vendors are expected to implement secure boot mechanisms designed to frustrate hackers' attempts at firmware modification: “We recommend vendors get in front of this learning curve,” WatchGuard recommends.

For many, increasingly-connected smart TVs will be the next battleground. With millions of smart TVs said to be at risk in reports dating back to 2012 and Samsung recently announcing that its TVs would this year evolve to become IoT-ready hubs for connected homes – concerns over growing levels of connectedness are growing.

The pervasiveness of software vulnerabilities in home routers was a recurring theme in 2015, with reports that more than 700,000 ADSL routers were vulnerable to hacking and later confirmation from FireEye that previously-theoretical attacks had been seen in the wild.

Such revelations contributed to Gartner's description of IoT as “overhyped and emergent” in a recent webinar on the topic, which it has covered extensively and called out security and identity as major “roadblocks”.

Read more: ​Can ScramCard make payment security sexy? This ex-bank CSO thinks so

“At the heart of security solutions is the concept of identity,” Gartner wrote. “We are familiar with the need for identities associated with people. This concept must now be extended to things.... When devices and services are so abundant, in so many different forms, and beyond the scope of any single organisation, new rules must be created.”

Security veteran Kaspersky Lab, for its part, this week joined forces with device-authentication vendor WISeKey to expand the scope of that company's Cryptographic Root of Trust for IoTauthentication technology, which is currently used in connected watches from the likes of Bulgari.

“As the number of connected devices continues to grow, so does the number of threats,” Kaspersky Lab chairman and CEO Eugene Kaspersky said in a statement. “Unfortunately there are millions of devices in active use today that were never designed to be secure, but security should be built-in from the very outset. There’s an urgent need to establish and implement higher levels of security for IoT devices.”

Join the CSO newsletter!

Error: Please check your email address.

Tags hyperconnectedCESInternet of Things (IoT)securityLG's tabletCSO Australia

More about Check PointCheck Point Software TechnologiesCSOFireEyeGartnerKasperskyLGPoint Software TechnologiesSamsungSmartSoftware TechnologiesSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place