October 05, 2023
Author: Erica Chikowski
Translation: absence
Original title: 7 IoT Devices That Terrify Security Professionals
1. IoT Surveillance Camera
Whether designed to illuminate city streets, corporate facilities or baby cradles, IoT video cameras have become an integral part of our connected and increasingly controlled lives. Even aside from many privacy concerns caused by uploading videos of people in private and public places to corporate clouds, security implications of IoT cameras are not far off.
The rise of Mirai botnet and damage it caused from DDoS attacks partly illustrate this early in game, as attackers deliberately abused vulnerabilities in IoT cameras to create an army of zombies ready to attack systems.
As noted in an article published in journal Internet of Things, IoT cameras often have disadvantages, including “lack of certification for protocols used in streaming. Encryption of all communication between them.
These flaws not only make Mirai-style DDoS attacks possible, but also open up opportunities for targeted attacks, including remote camera takeover for anything from spying on children in their sacred rooms to spying on video in conference rooms .
2. Smart toilet
A security risk matrix has been prepared for this question. How about a smart toilet equipped with an Internet-connected camera? What can go wrong?
While this may sound like an outrageous parody comedy, some scientists are genuinely interested in bringing something like this to bottom of our toilets. Our backs have same unique bioprint as our fingerprints, they say, and they could use similar toilets to detect diseases early.
And this is just one of several recurring features dreamed up by toilet inventors that make up concept of smart toilet of future. Other features include remote waste screening and data uploads that can be used to look for disease markers, toilets that can track status of toilet maintenance, and some quirky connected lighting fixtures.
A 2019 study found that approximately one in five security professionals are concerned that their connected toilets will be hacked. They're not only ones who don't trust smart toilets - most of them are skeptical about idea. Only half of respondents surveyed by Thomson Reuters will use a smart toilet to some degree, with three in ten saying they completely resist urge to use a connected toilet.
3. Digital license plate
Digital license plates are a new and growing hotspot in IoT hype. Companies like Reviver tout benefits of these devices, such as simplifying toll process, recovering stolen devices, and charging government approval fees.
But as incomparable Bruce Schneier said a few years ago, "That doesn't make sense to me. Numbers are static. The low-tech nature of license plates is a feature, not a bug."
Digital license plates open door to all sorts of security and privacy issues when it comes to government oversight or tracking, potential tracking by those who managed to hack device, a lot of usability issues where a device malfunction interferes with license, and a plate will appear with number display, and numbers don't need a piece of metal to be effective.
However, in California this month digital license plate pilot program became permanent, Colorado became the fourth state to provide citizens with digital license plates, and many other states are exploring options.
4. Smart speakers
"Hey smart speaker, tell me what are cyber security risks of having an always-on microphone in my home or office that connects and sends recordings to someone else's cloud?"
Smart speakers from Google, Amazon, Apple and many other manufacturers can offer a lot of quirks that are impossible to resist, even sometimes. The same goes for most cynical security professionals. Oddly enough, we met a lot of security professionals who, admitting they couldn't help themselves, bought Dot or Nest. But what we gain from being able to control lighting with simple voice commands, we lose in form of increased security and privacy risks.
Smart speakers pose a potential risk, from covert eavesdropping by vendors, to hyper-targeted advertising for consumers, to hijacking by hackers to spy on people and businesses.
5. Smart kitchen appliances
If you think "Patch Tuesday" sucks when it comes to corporate security, imagine parents of a child trying to heat up a bottle only to find out that a faulty firmware update has disabled their microwave. Ten years ago this scenario might have seemed far-fetched, but now it is becoming more and more common.
In spring, an incident with an administrator at microwave oven company Electrolux led to company releasing a bad firmware update over air to microwave ovens across Europe, making them think they were steam ovens. He broke devices so much that manufacturers had to send technicians to fix them.
Smart kitchen appliances such as ovens, microwaves, and refrigerators do not necessarily pose as much of a risk to an enterprise as other IoT devices, but above justifies a pertinent risk assessment question: "What makes these devices "smart"" Is reward really worth the risk?"
6. Robot Vacuum Cleaner
At what age did you realize that robotic vacuum cleaners that roamed people's homes and offices were also mapping those spaces and sending that digital dirt back to vacuum cleaner supplier's cloud? To answer this question, many people will consider that today is a good day, because most people do not think too deeply about how a vacuum cleaner works. But it's true, and just a few months ago Amazon paid a fortune for one of largest companies with such detailed data on people's physical space. Amazon bought Roomba manufacturer iRobot for $1.7 billion. It's another arrow in Amazon's massive IoT data collection, and many privacy advocates are increasingly alarmed. “This is not just another device that Amazon sells in its marketplace,” Robert Weissman, president of consumer advocacy group Public Citizen, told The Guardian in August when deal was announced.
"It's about company getting more intimate details of our lives in order to gain an unfair market advantage and sell us more products. The last thing Amazon can do is suck out more of our personal information."
7. smart lock
Smart locks as a class of devices sound pretty cool and convenient for average person. How nice would it be to open door from driveway when you know you're bringing groceries, or share a limited-time code with a cleaning company, right? But these devices have also paved way for scenarios that would make any security-conscious person's hair stand on end.
These devices are notorious for being insecure: research has identified weaknesses in firmware, authentication, communication protocols, etc., making them vulnerable to stalkers, thieves, etc. Some recent research examples include Apps A, B, and C, as well as a growing number of studies of entire alphabet.
Moreover, when these locks are keyless and digitally controlled only, they suffer from same fault tolerance issues that many IoT devices suffer from interference such as Internet outages. For example, a massive Internet outage at Canadian provider Rogers Corp. prevented a major concert venue, sponsored by the Rogers Corporation, from opening its doors to concerts this summer. Other IoT devices such as ticket machines and point-of-sale machines are also affected.
