2017 is expected to be the year of exploiting the Internet of Things. The past few years have had their share of hacks but it is only the tip of the iceberg. As more and more IP enabled devices flood the market it opens the door for hackers to compromise these devices which can ultimately result in disclosure of your personal information.
Almost every electronic consumer device on the market today can connect to the internet and/or store data. These devices are computers and require ongoing patching. Manufactures do not make this easy and consumers, for the most part, have no idea that this is needed.
In 2013, Samsung released a firmware update that patched a security vulnerability on their Smart TVs. Prior to that, security researchers discovered a vulnerability that allowed them to gain remote control over the TV’s operating system. This allowed them to control all features/functions of the TV as if they had they had physical access to the TV. In other words, if the TV had a microphone or camera, the security researchers had the ability to activate them.
Many times, manufactures will be informed of a vulnerability and choose not to do anything about it as it would impact their bottom line. They feel that it may damage their reputation if they admit to shipping products that are not secure or that there is no revenue in patching products that have already shipped. This can be a risky move on their part. Security researchers are constantly looking for vulnerabilities in devices. Most of them will contact the manufacture directly so they can create a patch however not all will.
Recently a security researcher discovered a vulnerability in a very popular security camera/DVR solution. The researcher posted the code and steps on how to exploit in a public forum so anyone who is looking for it can download for free. This was recently removed by the request of the manufacturer but the researcher has given them 30 days to develop the patch and make available to download or else he will re-publish the code. We will see how they handle this situation in the coming weeks.
The good news is that these issues are not going unnoticed. Underwriters Laboratories (UL), the same organization that most commonly known for its life safety standards, is coming up with a standard for IoT devices. This will be known as standard UL 2900. While it is not a silver bullet, this is a step in the right direction. This will at least give educated consumers the ability to purchase a product that has been tested and meets a minimum level of cyber security criteria.