It may not have spawned any genre-shattering innovations, but this year's International CES 2016 exhibition in Las Vegas made one thing eminently clear: the Internet of Things (IoT) is here and everything is, or soon will be, connected. And, on queue, the security community is rushing to help ensure that reports of hackable smart TVs and other networking-enabled devices don't drive a new growth industry in hacker circles.
CES was filled with smart-home devices such as the LG Signature Refrigerator and Samsung Family Hub Refrigerator, with smart control systems from the likes of Tado. Even paintball masks were getting connected.
LG's tablet-connected Hom-Bot Turbo+ robot vacuum can stream live video to a smartphone or tablet, and doubles as a security camera; Sony's Multifunctional Light integrates motion, temperature, and humidity sensors as well as speakers, a microphone, and connectivity to other devices.
Even the best Connected Home Product category winner, Cassia Networks' Cassia Hub, was based around improving in-home connectivity, extending Bluetooth range to 300m and supporting the connectivity of 22 Bluetooth devices.
The security of connected TVs has become a particular concern, with recent reports that Android-based TVs suffer from an old vulnerability – and can be forced to run malicious code – reinforcing functionality-based privacy concerns raised a year ago.
Security specialists have worked overtime to explore vulnerabilities in connected-TV products, with Check Point Software Technologies publishing its analysis of “severe” vulnerabilities in the EZCast Smart TV dongle that would allow attackers to gain full access to a subscriber's home network.
For its part, Vectra Networks highlighted its success in hacking and reprogramming some Wi-Fi security cameras to serve as permanent network backdoors.
“Most organisations don’t necessarily think of these devices as miniature computers, but essentially they are in that they can still give attackers access to sensitive company information, particularly because they are connected to the corporate network,” said Vectra Networks CSO Gunter Ollmann in a statement.
“Unlike the computers people regularly interact with, these devices do not have the processing power or memory to run antivirus or other security software. Since they don’t have usable persistent storage, attackers use NVRAM to store the configuration and flash ROM to store the malicious code.”
WatchGuard was among the many companies that picked up on the growing IoT threat, expecting that 2016 would see a surge in proof-of-concept attacks “that permanently modify and hijack the firmware of IoT devices”. Vendors are expected to implement secure boot mechanisms designed to frustrate hackers' attempts at firmware modification: “We recommend vendors get in front of this learning curve,” WatchGuard recommends.
For many, increasingly-connected smart TVs will be the next battleground. With millions of smart TVs said to be at risk in reports dating back to 2012 and Samsung recently announcing that its TVs would this year evolve to become IoT-ready hubs for connected homes – concerns over growing levels of connectedness are growing.
The pervasiveness of software vulnerabilities in home routers was a recurring theme in 2015, with reports that more than 700,000 ADSL routers were vulnerable to hacking and later confirmation from FireEye that previously-theoretical attacks had been seen in the wild.
Such revelations contributed to Gartner's description of IoT as “overhyped and emergent” in a recent webinar on the topic, which it has covered extensively and called out security and identity as major “roadblocks”.Read more: Can ScramCard make payment security sexy? This ex-bank CSO thinks so
“At the heart of security solutions is the concept of identity,” Gartner wrote. “We are familiar with the need for identities associated with people. This concept must now be extended to things.... When devices and services are so abundant, in so many different forms, and beyond the scope of any single organisation, new rules must be created.”
Security veteran Kaspersky Lab, for its part, this week joined forces with device-authentication vendor WISeKey to expand the scope of that company's Cryptographic Root of Trust for IoTauthentication technology, which is currently used in connected watches from the likes of Bulgari.
“As the number of connected devices continues to grow, so does the number of threats,” Kaspersky Lab chairman and CEO Eugene Kaspersky said in a statement. “Unfortunately there are millions of devices in active use today that were never designed to be secure, but security should be built-in from the very outset. There’s an urgent need to establish and implement higher levels of security for IoT devices.”