It’s the internet of sh*tty things, says Intel Security’s Raj Samani
“It is an internet of vulnerable things,” he told The Register at Mobile World Congress in Barcelona. “Go and ask anyone on the show floor: what data are you collecting? What are you doing to safeguard information and secure the device? And you will get blank stares. No one is thinking about what you are doing to secure the gadget.”
A major issue is that poor security practices already exist on things like mobile apps – an approach that could cause profound problems with the proliferation of connected devices, he said.
Research published by Intel Security this week found 4,000 apps that were removed from Google Play without notification.
More than 500,000 devices still have these apps installed and are active, leaving users exposed to any vulnerabilities, privacy risks, or malware contained in these dead apps.
One recent example is a password-stealing app, distributed on Google Play as a Trojanized version of Instagram.
Samani said he has seen a recent number of bizarre IoT devices such as a proof of concept for a pregnancy test that tweets the results, and a connected toilet paper holder that lets the user know when they are running low on bog roll.
He said that before more products arrive on the market, measures should be put in place to hold companies to account, adding that it is concerning that companies already absolve themselves of responsibility for data loss in their terms and conditions.
“Let the market decide. If you want an internet-connected toiled holder, fine. Although I might not use your bathroom. But there has to be some degree of due diligence.”
Samani said it was not a case of industry fear-mongering because others have also demonstrated severe existing vulnerabilities – such as the recent confirmation that implantable cardiac devices have hackable flaws.
He added: “I have a couple of kids, and I genuinely worry about what privacy will mean for them in the future, unless we put security into these devices. Because every move they make, it’s going to be tracked, it’s going to be locked, it’s going to go somewhere in the cloud and used by who knows. So we’ve go to start banging the drum now.”
He said the industry needed to change its language to make the risks more real for non-techies. “So we’re talking about not being able to get a mortgage because your credit rating has been damaged, or your kids not getting job they wanted because someone guessed the name of their password and started tweeting racist stuff.”
Last year the Mirai IoT botnet, comprised largely of internet-enabled digital video recorders and surveillance cameras, was used to devastating effect in October, taking out DNS provider Dyn and leaving scores of high-profile websites unreachable as a result.
The Intel Security report noted: “We have been watching IoT attacks for several years and over the past year have seen the infection rates grow by roughly 20 per cent every quarter. The success of the Mirai attack has not only encouraged others, but also made the code readily available to reuse and learn from.”
It recommended that developers, app store curators, device manufacturers, and security vendors should work closely together, transparently share threat intelligence, and rapidly address security vulnerabilities “to keep this marketplace healthy”. ®