Malware in the media – Smart devices with stupid security

With Thanksgiving, a lot of smart products have found their way from vendor to consumer. Most people buying smart products do understand that these products are ‘connected’. Most buyers assume those smart products are tested and safe to use. But there is a huge problem with smart technology: the technology is evolving faster than the legislation protecting people using those smart devices. There is no legislation to force vendors to test and certify that their smart devices are really safe to use.

Not every smart device is called smart (like your smartphone or smart-TV). The top 5 smart product categories are according to a Mozilla survey:

  1. Smartphones (malicious Apps spy on you/steal passwords)
  2. Smart-TV’s (auto-sleep camera can be used to spy on you)
  3. Activity trackers (smart-watch reveals location)
  4. Home safety (smart-locks and camera’s used by burglars)
  5. Smart energy (low energy usage reveals you are on holiday)

In our August blog we already mentioned some facts about Android App fraud (a 300 million dollar business). To proof we are talking about real products and real security issues, let’s just list November’s disclosures of smart consumer products with unsafe security.

IP-Camera http://seclists.org/fulldisclosure/2017/Nov/43
IP-Camera https://blog.talosintelligence.com/2017/11/foscam-multiple-vulns.html
IP-Camera http://seclists.org/fulldisclosure/2017/Nov/31
Scooter anti-theft http://seclists.org/fulldisclosure/2017/Nov/23
Smart kid watches https://fil.forbrukerradet.no/wp-content/uploads/2017/10/watchout-rapport-october-2017.pdf

In the smart kid watches test, the Norwegian Consumer Counsil (Forbrukerrådet) report that 50% of the watches have “critical security flaws” which could reveal location and snoop on communication. Essential emergency and location functions were unreliable giving the parents a “false sense of security”.

What is really worrying is that those products are bought for security reasons, while in fact they are a threat to the owner and user. We agree with the Norwegian Consumer Counsil that smart devices with stupid security show “a lack of respect for consumer rights”.

Above security breaches clearly make a case for additional IoT security legislation in the European Union (as in the United States). At AV-Comparatives we will use our network and knowledge to push for a new set of checks and balances to ensure the privacy and security of consumers is respected by smart-device vendors.