IoT needs more respect for its consumers, creations, and itself
Yet again, connected devices are in the news for all the wrong reasons. In October, security researchers found that robot vacuums from Chinese company, Ecovacs, can be compromised via a backdoor. In one case, hackers gained control over the device and shouted slurs at the homeowners. Worse still: the company doesn’t take responsibility and tells users they “do not need to worry excessively” about the vulnerability.
This hack is another unfortunate example of connected device companies shirking their security and privacy responsibilities. Without proper safeguards, these smart home and office devices morph from helpful tools into mobile surveillance gateways – introducing rogue cameras and microphones into our most intimate settings.
Enough is enough – the sector needs to take these threats, and indeed itself, more seriously.
Digital eyes and ears in your home
I can’t be the only one with a sense of security déjà vu. Whether it’s video doorbell vulnerabilities or baby monitor hacks, a new connected device fallibility emerges seemingly every month. And yet, despite multiple high-profile stories, poor products with lax security are concerningly common, a clear danger with cameras and microphones in the mix.
There are a few novel risks to tease out here. First, devices on wheels add a new dimension to this threat. One thing is a stationary camera, but another is a hacked, mobile device in your inner sanctum. This opens several concerns, such as devices surreptitiously mapping floor plans, tracking daily routines and occupancy patterns, and creating an inventory of valuables and their locations.
Until now, attackers have mostly used these backdoors for pranks and harassment. But the implications are far more sinister – these always-connected, sensor-equipped devices could be used to eavesdrop on private conversations, stalk targets, or even conduct corporate intelligence gathering by scanning homes for products and brands.
The risk of contagion is also real. What’s to stop hackers from driving the compromised vacuum up to Alexa and saying, “Open the front door”? This cascading vulnerability turns a simple vacuum hack into a potential gateway for complete compromise.
Plugging the security holes is neither expensive nor challenging
The connected vacuum hack exploits a Bluetooth vulnerability, allowing anyone with a phone to connect from over 100 meters away. Much like the ones before it, this is a backdoor that’s thwarted by something as simple as unique credentials or multi-factor authentication. With consumer privacy and security on the line, things like open connection pathways and default passwords just don’t cut it.
There’s a real urgency following the pandemic to get this right. Devices are booming in the smart home and office – doubling over the next 10 years to almost 40 billion worldwide – and governments realize their people and businesses need protecting. As a result, regulatory guardrails are on the way with Europe’s Cyber Resilience Act and The United States’ Cyber Trust Mark. This is a good thing and perhaps the wake-up call our industry needs.
It’s past time for device makers to tighten endpoints and implement secure protocols, better authentication mechanisms, and stronger storage at the edge. Further, the industry needs to ensure secure connections by encrypting all data in transit and delivering peer-to-peer communication. The good news? These solutions are neither prohibitively expensive nor technically challenging.
The road to action and accountability in IoT
We’re not just talking here about hacked devices – we’re talking about potential windows into who we are. The smart home and office are, in essence, our personal and professional lives, and I’m certainly not comfortable with companies playing fast and loose with cybersecurity standards.
Regulation is coming but any serious connected device company shouldn’t need that push. Companies exist to serve consumers and forget that at their own risk. Privacy and security aren’t nice to have – they’re bare minimum requirements.
And for those dragging their feet? Consider this: Strong security practices will be a key market differentiator in the coming years. Early adopters who get ahead of pending legislation will enjoy both a competitive advantage and a clear conscience.
At the same time, consumers need to stand up and speak out when something’s not right. Leave bad reviews, contact customer complaints, and vote with your wallet. If a company is negligent and allowing audio and visual access to your private spaces, hit them where it hurts – their bottom line.
There’s a lack of respect for device consumers and it shows. And, speaking as someone with more than two decades in this space, the idea of device makers sacrificing privacy and security in the name of laziness or cost-cutting is embarrassing. Our sector and ingenuity are far better than this – let’s prove it.