A new report from Bitdefender shows that smart TVs and other smart devices are vulnerable to attack. It is if, not when.
Bitdefender says smart things market has been booming in the past two years. And it is high time that a thorough security pattern is overlaid.
Its 18-page report states the average smart home is overflowing with insecure devices such as gaming consoles, baby monitors, smart TVs and wireless surveillance systems. What users don’t know is that a worryingly high proportion of Internet of Things (IoT) device are sold without inbuilt security. Most even lack an operating system that supports the installation of security software agents.
Bitdefender: All smart devices attach to a network and the internet. Ergo, all smart devices are vulnerable.
That makes them just as much a target as traditional PCs. It just that hackers have not made money from most smart device hacks yet.
There have been widescale attacks on IoT devices like routers and security cameras. Largely to harness their miniscule computing power to launch large-scale DDoS attacks.
The issue with IoT devices is twofold. On the one hand, the average, non-technical IoT buyer has little to no knowledge of their inner workings. Nor do they have the necessary networking skills to close potentially dangerous open ports.
On the other hand, the setup process itself is all about function first, over security second. Sometimes, the setup process does not force the user to choose a unique, hard-to-guess password for administrative accounts on the device.
Automatic attacks relying on IP and port scanning are the new norm. Different botnets come and go daily by competing bot operators.
No smart device is insignificant, as each represents a potential attack avenue that hackers can manipulate to get inside a home network. Once inside the network, they can control all devices in it.
Firmware is a major loophole
Old firmware or worse still devices that never receive firmware updates are an open invitation to a hijack by a botnet.
55% of smart TV users have never run a firmware update
50% of smart TV owners said that they have never altered the default the password
50% of smart TV users do update the software apps
60% did not perform any firmware updates on their wireless router throughout its lifespan.
38% of smartphone and tablet users did not run a firmware update
Passwords are a weak link
Weak usernames and passwords, negligent browsing, as well as the lack of firmware updates aid hackers in getting access to banking information, private photos and videos, e-mails, home security settings and eavesdropping through baby monitors and smart TVs.
60% smart device users say they have different passwords for each smart device/accessory.
20% have several passwords that they randomly use
10% use one password for all their smart devices
70% of smartphone or tablet users say that they have not used anew password for more than three months
Data leaks are the new gold
Tremendous amounts of data are shared every second via cloud storage, emails, social media, videos, photos, likes and opinions. As the cloud is becoming the new norm, it needs to be encrypted. Much is not, and the information is easy to exploit. Result – 90% have a concern about data leakage from a smart device but do nothing.
61% store plain text personal information on PCs
50% on phones (68% of 18-22-year-olds)
11% keep tier important personal information on network storage
GadgetGuy’s take. For IoT to work needs to better security
We publish most security articles purely to increase awareness.
Bitdefender’s report does not surprise. Old firmware, poor password hygiene, and devices built for function, not security are the issue.
It is heartening to see that California’s Senate legislation that requires IoT device manufacturers to incorporate security in the devices they release on the market. At a minimum, they must ensure user privacy and online safety. If manufacturers want to sell their gadgets in the Golden State, all products sold from 1 January 2020 must comply.
The law addresses devices ‘that can connect directly or indirectly to the internet and have internet protocol or Bluetooth addresses,’ including Amazon Echo and Google Home.
The UK Government is working on IoT ‘security by design’ shifting responsibility to the vendor and away from consumers.
The EU General Data Protection Regulation includes a very important article on end-user rights and privileges, including one known as “the right to be forgotten.” Starting May this year, by law EU residents will be able to tell any data processor to erase their personal information from both private and public records. That includes IoT data.
For Bitdefender’s part, it has a multi-device Total Security product that includes a new network threat protection to help prevent IoT exploitation. It detects and blocks brute-force attempts, prevents IoT devices from botnet attacks and prevents sensitive information from being sent in in clear text forms.