In the last few years, there has been a rapid rise in the number of domestic IoT devices. In 2019 alone, 141 million voice controlled connected home devices were shipped internationally. In fact, while sales of many products are being hit hard by the Covid-19 pandemic, concerns over touching infected shared surfaces are expected to fuel nearly 30 per cent growth in sales of voice controlled connected home devices this year.
However, despite the convenience and entertainment connected home products bring to our day-to-day lives, such devices vary so much in the maturity and level of cybersecurity solutions built in. Unfortunately, not all are sufficiently updated over time to protect users from developing cyberthreats. As a result, the plethora of IoT devices consumers are bringing into their homes are all too often putting them at risk of hackers accessing credentials and sensitive data.
A case for security by design
Many of the cyberthreats targeting domestic IoT devices are a result of the fact that they simply aren’t designed with cybersecurity in mind and are easy prey for hackers. We see this time and time again; from a massive breach last year which led to two billion connected home records being leaked, including conversations recorded on connected home cameras; to Amazon’s Ring doorbells whose infamous security vulnerability enabled hackers to steal users’ Wi-Fi usernames and passwords, giving them access to other devices on their networks.
I’ve said this so many times that I think it could become my own personal motto: security by design is paramount. While it’s certainly not the case for all, too many IoT and connected home developers simply aren’t prioritising security highly enough in the product development stage, and it shows. And the thing is, good cybersecurity doesn’t happen overnight. Creating a cybersecure product line requires rigorous security practices to be baked in from the outset, in addition to a commitment to maintaining sufficient updates across all devices once they have been sold.
Ensuring solid cybersecurity solutions are implemented from the design stage onwards in all IoT devices in the home, must be unanimous across the ecosystem if we are to protect consumers from cyberattacks. Because unfortunately, it only takes one unsecured device to provide a door through which a hacker can gain access to an entire home network. Furthermore, Internet Service Providers need to be ensuring that they are providing users with secure routers, complete with IoT security solutions to provide the maximum level of IoT security within the home.
The hidden cause of domestic IoT attacks
If you asked most people about the source of most IoT security threats, I can almost guarantee their minds won’t go to their internet routers, despite those very devices being the gateway to staying connected with the world. However, Symantec’s 2019 Internet Security Threat Report found that infected routers are in fact the source of an estimated 75 per cent of all IoT attacks. Importantly, the router being the hub of all domestic internet activity, once compromised can lead to users’ sensitive data, passwords and connected home recordings being hijacked by hackers for profit.
Furthermore, these are almost never small-scale attacks targeting individual homes. Hackers are rarely lone criminals, and more often than not work in cyber-gangs which operate as branches of wider criminal networks. These gangs execute targeted, large scale hacks designed to bring in large amounts of money. Recently, a widespread vulnerability to router security was revealed; dubbed ‘Cable Haunt’, the middleware flaw allowed hackers to hijack cable traffic, eavesdrop on sensitive data shared online and via connected home devices, disable firmware upgrades and much more. With a growing number of people now working from home, such threats to domestic IoT devices will unfortunately develop more serious implications.
Blurred lines: Domestic and business IoT security
It would be impossible to discuss the current threat landscape of connected IoT devices without mentioning the impact of Covid-19 and the lockdowns it has triggered around the world. With such a large number of people working from home on potentially unsecured home networks, the risk of business servers being infiltrated by hackers is higher than ever before. Unfortunately, the prominence of unsecured connected home devices will only fuel this further.
So, what can we do to create a safer world without giving up the easy and flexibility provided by our domestic IoT devices? Obviously, much of the onus falls on the developers to create and update sufficiently secure devices for consumers. However, there are ways consumers can protect themselves without having to forgo the connected home devices they have grown to know and love.
Set passwords on all of your IoT connected devices. Whether it’s your connected front door camera, a connected plug or another connected home device, most people leave their devices with easily guessed default passwords, making devices highly vulnerable to attack. Maintain the software and operating systems running on the devices you use within your home network. It’s easy to ignore updates, but they’re necessary if you want to protect yourself from the ever-evolving nature of cyberthreats. Finally, invest in a router which has the ability to understand your network and take care of your device security for you.
Looking into the future
Moving forward, people need to be thinking about more than just the cybersecurity basics. AI-driven security solutions which reside on home routers can help monitor and mitigate threats to IoT devices and more, ensuring vulnerable and even breached devices are quickly detected and isolated.
And while not really common yet, I see a world where cyber-insurance is something that all corporations and individuals will need to invest in when using IoT connected technology. Cyberattacks are a very real risk in the digital era, and until the companies that are manufacturing domestic IoT devices become more heavily regulated, that isn’t going to change. Just as we are required to take out insurance in order to drive a car, which protects us against the financial costs of road accidents, I see consumers soon wanting to insure ourselves against the impact of cyberattacks.
Moving forward, it is clear to me that the future of domestic IoT devices needs to be more firmly routed to the belief that connected homes need to be safe homes. Developers have created an impressive range of devices which make our day to day lives easier and more connected. However, until good cybersecurity is at the centre of these developments, domestic IoT devices will continue to put those who use them at risk of an ever-evolving abundance of cyberthreats.
Shane McCarthy, COO, Irdeto