The concept of a big black box monitoring our conversations and actions in our own homes is unsettling. But the benefits of having an Internet-connected TV are wonderful. From the couch we can summon up the latest on-demand movies from the Internet using only our voices, streamed from our any number of our favorite services (whether Amazon, Netflix, or something else entirely). We also have access to specialized content beyond movies and television (e.g. Twitch.)

How can we move IoT innovation forward while providing more control over and transparency into how these devices work and what they’re doing with our personal information?

First, I will provide a quick roundup of some of the concerns and issues with IoT devices. Then, I will provide high-level recommendations to manufacturers and consumers to improve their IoT security.

Listen to the podcast series: Five Indisputable Facts about IoT Security

Internet of Things ‘Spying’

IoT monitoring is real and that means hacking these devices can put consumers at risk of being spied on. Businesses need to be aware of these risks because IoT adoption is on the rise in corporate settings and already a mobile reality when looking at the convergence of personal and business use on BYODs. Likewise, manufacturers need to be aware that failing to manage the security of their devices and the data collected by them will lead to exposure of their customers’ private information, in turn leading to reduced consumer confidence and (potentially) fewer sales down the road.

Some of the more interesting IoT issues to date include:

TVs: Recently the media lit up with news that Samsung Smart TVs could listen in on your private conversations. Interestingly, the media storm was set off, in part, by Samsung’s own privacy policy which read: “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”

Samsung responded quickly by clarifying their policy to make clear that the intent is not to “spy” on people’s private conversations. However users of these TVs, including businesses that have them set up in conference rooms, should be aware that voice commands are sent to a 3rd party

Even if owners of the TVs are comfortable trusting Samsung and their 3rd party (Nuance) with their voice commands, it’s notable that earlier versions of the Smart TV were found to be hackable allowing attackers to turn on cameras and access apps.

Baby Monitors: In August of 2013 a couple in Houston heard a stranger talking to their 2-year-old daughter through the baby monitor. The monitor in question, a Foscam, allows for remote monitoring from around the world. Remote access is a handy feature for parents away on a trip that want to check in on things at home, but quite distressing if that remote connection has been hacked into by a malicious stranger.

Foscam was in the news again recently when another camera was hacked and the stranger addressed the nanny. In both cases, steps like firmware updates and camera password protection could have prevented the hacks, but most baby monitor users are not IT security experts who know how to (or even that they should) do these things.

Cars: Hacked cars that seize steering and brake controls from drivers make for good television, but are extremely difficult to pull off outside of a proof-of-concept right now. What isn’t all that hard? Hacking the remote locks. In February BMW issued a fix to their ConnectedDrive software that allowed attackers to unlock cars and start car engines from their phones.

GPS: As creepy as someone virtually getting into your house by hacking a camera may be, it’s also unsettling to think of attackers tracking your every move when you’re out of the house. Recently IBM researchers reported that 73% of mobile dating apps tested had access to GPS data and that 60% of the tested apps had some kind of vulnerability that could lead to attackers accessing private data.

Preventing Misuse of the Internet of Things

Digging a bit into the examples above, there are a few things manufacturers can do to get a handle on the situation.

The first is to build security in. Most of the time, if a device is vulnerable to a remote attack, it’s because the software that’s running on it or controlling it is flawed. This is the case in the dating apps and BMW software mentioned above. My quick take on how to build in security is available here, but the following are some excellent deep resources available on the topic:

Manufacturers should also communicate best practices. Even though Samsung’s policy caused some alarm, the company was on the right track in being explicit with users about data risks. Those who manuf

acture IoT devices should write short, clear notices about which sensitive data is being collected, how it will be used and who besides them may have access to it.

Manufacturers can also help consumers use their systems more securely by requiring a password or default password reset during installation — which would have sidestepped the Foscam password issue — and creating a way to reach all users when software updates are issued. This could include consumer outreach or remote auto-updates.

Business and consumer users of these devices can do the following:

  • Review privacy and use policies published by the manufacturer. If you don’t like what the policy says, don’t use the device or app.
  • Change default passwords, and don’t forget to make the new password strong and unique.
  • Monitor the manufacturer’s site for announcements about patches and software updates to ensure you have the most recent versions.

If manufacturers build security into their IoT software and devices and users take precautions, we can hopefully all enjoy the benefits of IoT without being spied on by cybercriminal Big Brothers.

Listen to the podcast series: Five Indisputable Facts about IoT Security

More from Intelligence & Analytics

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…