I admit, the title of this post is scary, and some will claim that I’m fear-mongering. But the reality of IoT security is much worse than the title would have you believe.
HP did a study to test the security and privacy vulnerabilities of common IoT devices. It found that 70% of them had security and privacy vulnerabilities, with the tested devices having an average of 25 vulnerabilities each – and I’m not talking about the devices simply giving up your location. Some of those vulnerabilities consisted of device software updates over an unencrypted connection, allowing hackers to intercept and even modify the software update.
If you’re thinking “Yeah, well, I don’t care if anyone hacks into my device, there’s nothing important on it.”, then think again. The devices tested included garage door openers, home alarms, and door locks. Do you still not care that a hacker can hack into a door lock or home alarm ?
Here’s a summary of the findings:
- Privacy — 8 of 10 devices, including their clouds and mobile apps, raised concerns pertaining to the collection of personal data, including name, birthday and credit card credentials.
- Insufficient Authorization — 80% of devices tested, as well as their clouds and mobile apps, allowed weak passwords, including the idiot-favourite ‘1234’.
- Lack Of Encryption — 70% of devices didn’t encrypt communications to the Internet or local networks. 50% of the devices’ mobile apps didn’t encrypt communications to the Internet (including the corresponding cloud) or local network either.
- Insecure Web Interface — 60% of devices had security issues with the Web interfaces. The issues were things like poor session management, weak default credentials and even credentials transmitted in clear text (unencrypted.)
- Insecure Software Updates — 60% of devices did not use encryption when downloading software updates. As a result, some of the software could be intercepted and even modified by a hacker.
The results are absolutely shocking, and even worse than I expected. It’s more proof that many development companies treat security as an afterthought, and only react to it after they get caught. Think about it, a company that develops a door lock, doesn’t put much effort into the cybersecurity of their product that is designed to secure homes! Seriously ?!
That’s not how people should be approaching security and privacy. You don’t wait until you have a house fire before buying fire insurance for it.
People need to be proactive, and prevent things from blowing up in the first place. I don’t want the alarm developer to wait until my alarm gets deactivated by hackers and all my valuables stolen, before the developer addresses the security issues in their alarm. That’s why I would never use an IoT product running software developed by Apple, who is especially famous for taking a loooong time to fix security vulnerabilities in their software, even the critical ones. Google’s software is obviously out of the question too.
The only way to approach security is to be proactive. BlackBerry has always taken the proactive approach, and it shows in the years without any security breaches of their infrastructure and platforms, despite the critical importance of the data being transported over it. It’s why BlackBerry should be leading the charge of IoT, setting the standards, and developing the technologies that form the foundation of IoT. They’ve proven they’re the best at mobile security, and that they’re committed to it. It’s why I use a BlackBerry, and will continue to do so. And it’s why I’m really looking forward to wide-spread deployment of BlackBerry’s Project Ion.