By GRL Team on June 25, 2024
IoT

Consumer IoT Devices: Embrace Convenience or Prioritize Security?

Granite River Labs, GRL

Sanjay K Sharma

The rapid proliferation of consumer Internet-of-Things (IoT) devices has revolutionized daily living with unprecedented levels of convenience and efficiency. By 2030, it is estimated that 29 billion IoT devices will be circulating worldwide. This includes security devices such as baby monitors, smoke detectors, and door locks, as well as entertainment systems such as smart cameras, TVs, speakers, wearable health trackers, home automation and alarm systems enable people to manage and monitor multiple facets of their lives seamlessly.

However, the rise of IoT also brings about significant cybersecurity risks. Each new device on a network can be a potential entry point for cyber attackers. With many IoT devices lagging behind on the security features front, the lack of regular updates is making IoT systems vulnerable targets for exploitation.

 

Surge in IoT Malware Attacks - 2023

2023 marked a critical turning point for IoT security threats, with a Zscaler ThreatLabz report revealing a staggering 400% increase in IoT malware attacks compared to the previous year1. This dramatic rise underscores the security risks associated with the proliferation of connected devices.

 

The 2024 Roku Cyberattack

The 2024 cyberattack on Roku, which compromised over 576,000 accounts2, highlighted the vulnerabilities inherent in IoT devices while raising important questions around consumer trust, regulatory compliance, and the integration of cybersecurity measures across technological ecosystems.

Compromised IoT devices can be the entry point for launch DDoS attacks, personal network infiltration, and sensitive data theft. For example, the Mirai botnet attack3, which uses thousands of unsecured IoT devices to disrupt major websites, highlights just how large-scale these threats can be, possibly placing hundreds of thousands of individuals at risk through breached smart cameras, health monitors, and so on.

 

Technical Vulnerabilities in IoT Devices

Common weaknesses within IoT devices that can expose them and their connected networks to attacks include:

  1. Weak Authentication: IoT devices that rely on default usernames and passwords are easy targets as these outdated authentication mechanisms no longer provide adequate security against modern cyber attacks.
  2. Unencrypted Stored Data: Unencrypted personal data stored on IoT devices can be easily extracted and misused.
  3. Unused Interfaces: Open or unused interfaces that are not properly secured or disabled can also be exploited by attackers to gain unauthorized access or remote control over the device.
  4. Lack of Regular Updates: IoT devices that lack frequent security updates will accumulate vulnerabilities that become increasingly easy to exploit over time.

 

Manufacturers' Role: IoT device manufacturers have been urged to enhance security measures, including implementing stronger authentication protocols, regularly updating firmware, and encrypting stored data. Consumers often remain unaware of these vulnerabilities and where their data might be compromised. Securing these devices is crucial, and the primary responsibility lies with the manufacturers. Manufacturers must prioritize the security of their products to protect users' data and privacy.

Compliance to Basic cyber-Security requirements becomes mandatory for consumer IOT devices under EU RED to fulfil CE marking requirements by Aug 2025.  Additionally, there are other international private certification schemes aligned their security requirements as per ETSI EN 303 645, NIST, OSWAP Top 10, CWE 25 standards and its predecessors.

As an accredited laboratory for various national/international standards, GRL conducts security testing on consumer IoT, applications and telecom devices according to the standards mentioned above. These standards provide a solid security baseline for connected consumer products through 13+ key recommendations, chief of which are:

  • Eliminating default passwords
  • Implementing a vulnerability disclosure policy
  • Keeping software updated

Don't wait for until it's too late to secure your products. Proactively prepare against worst-case scenarios by contacting IoT experts to safeguard your customers and your brand.

 

About the Author

Sanjay K Sharma 

Associate Director -Cybersecurity Services  

Sanjay K Sharma is responsible for developing cybersecurity services and establishing evaluation facilities according to various national, international and industry standards. Supports IoT and digital-connected technologies strategy. 

 

Reference

1. Adm Ford. 11 Jan 2024. Securing Public Sector Against IoT Malware in 2024. Zscaler Blog.

2. Ty Roush. 12 Apr 2024. Roku Says 576,000 Accounts Compromised In Latest Security Breach. Forbes.

3. Cloudflare. What is the Mirai Botnet?

Published by GRL Team June 25, 2024