The ‘Olivia’ Experiment Part IV: A Personal Security Crash Diet
Editor's note: For this series of articles, it is technically written by an anonymous employee at Rapid7 who is referred to as "Olivia" for this series. Tod is recognized as the author of this series since he was involved in its creation.
Oh hello! My toaster told me you were coming (thanks for the heads up, smart toaster!). It’s Olivia, back with the fourth installment of my extreme security diet stemming from National Cyber Security Awareness Month, AKA NCSAM, with Internet-connected devices, AKA The Internet of Things, AKA IoT. If you missed my previous entries, you can catch up on Part One: Maintenance, Part Two: Social Sharing & Travel, and Part Three: Privacy & Backups.
I’ve covered a lot of ground on security practices as they related to mobile and computers/laptops over the past few blogs. Today is taking a bit of a different turn from my typical "diet," and I’m looking into some of the relatively new devices that connect to the Internet. IoT includes things like smart speakers, fitness trackers, smart thermometers, smart appliances, GPS systems, connected cars, etc. Basically, if it connects to the Internet and it’s a thing, it falls into the “Internet of Things” bucket. Our head of IoT research wrote a great blog defining IoT if you’re interested in learning more about what makes the cut and what doesn’t.
Now, like the Internet itself, very few of these devices were built with security in mind. They’re (mostly) powerhouses when it comes to usability: voice ordering, snooze tracking, perfect toast, a ready-made grocery list. It would be a much longer blog if I were to evaluate the security risks and recommendations of the devices you might use—also ever so slightly out of my wheelhouse. Instead, for this diet, I'll be testing out the buying process for a few different categories of IoT devices to illustrate how easy—or not—it is to find security information when evaluating connected devices. As a baseline, I previously owned none of these contraptions, so you’re getting a fresh perspective on the process of shopping IoT.
Sidebar: the most common device in each of these categories are literal household names—they’ve been Kleenex/Xeroxed to the point of not really having a standard category name. With fairness and unbiased reporting in mind, I looked at the top competitors in each category, so you’re looking at an amalgam of popular devices below. Science!
No, not an orator who knows the difference between “who” and “whom,” or about quantum mechanics – I’m talking about the smart home devices that are always listening for a cue to play music, take a note, send a message, kill your enemies (just making sure you’re paying attention). While the features page touts advanced capabilities like controlling lights, adjusting temperature, hands-free calling, interactive kids’ games, speech pattern adapting, and multi-microphone listening, the security features are nowhere to be found. The only passing mention of security on one is that, because it “is always connected, updates are delivered automatically.” Automatic updates are, of course, a good thing (see Part One), yet reading “always connected” in the context of security sounds more like a threat than a benefit. Now, this is not to say that these devices don’t have security, just that it’s nearly impossible to discern how good it is by perusing the company’s website. Remember when I said most IoT is designed with ease of use rather than security in mind?
Like most big purchases, relying 100% on the seller’s website for the full picture isn’t the best idea. Hell, I crosscheck against Yelp reviews for new restaurants, and the most personal information they get from me is my preference for french fries. A quick search for “[insert device] + security” returns top news from tech outlets like Wired and Gizmodo on the devices, how they handle security, and if there have been any vulnerabilities reported (see pro-tip below). This is a good starting point for red-flag news articles, but also turned up some pages about security on the company’s own website that wasn't easily navigable from within.
Back to the security/privacy for ease of use conversation that we’ve had a few times: deciding to use an always listening smart speaker is no doubt a security trade-off. However, they are insanely helpful, popular, and make life easier. By and large, the takeaway here is awareness: read as much as you can before buying (especially when security information isn’t particularly easy to find), mute the device when not in use (see this article on hardware mute vs. software audio tapping), and use automatic updates to check the big, important box of ongoing security support.
Following the same pattern as the connected-home devices, a thorough reading of the features and specifications for fitness trackers showed no head-on mention of security features or how to secure your device. While a fitness tracker won’t be eavesdropping on everything within microphone-shot, most do include heart rate tracking, sleep analysis, weight progress, and some even have GPS. The hardware generally has limited memory – one says 14 days – but app connectivity allows that data to live longer.
When I stumbled across the community of one fitness tracker site, I searched for “security.” Disappointingly, although not shockingly, four out of five entries were inquiries into whether the wristband stayed “secure” while running. The fifth, while a security-related question, quickly evolved/devolved into a debate on whether it is the company’s responsibility to keep data secure at all. Not reusing passwords with the same login/email as other accounts were suggested (gold star!), but the net from the users was if-you-don’t-like-it-delete-your-account.
Author's Note: Our own Rapid7 research has shown that a lot of devices that are designed to track objects tend to have security and privacy issues on the app interface, which ultimately leads to unwanted, unintended public location sharing. So, it’s not like these issues are unprecedented, but without some pretty specialized skills in information security research and IT forensics, it’s really difficult to tell if an IoT device’s app is doing all it can do to keep my data safe and sound.
Does that need to be on the Internet? Bluetooth-brush Edition!
Once you get past the two big categories of smart speakers and fitness trackers, I found that the popularity of IoT devices really fractures based on who you are and what your day-to-day life includes. To determine the third IoT category for exploration, I reached out to some coworkers to find a device to delve into that, while seemingly unnecessarily connected to the Internet, has nonetheless been purchased.
Enter, the Internet-connected toothbrush.
This particular toothbrush had a straightforward reason behind the buy: it was less expensive than its non-connected electric brethren. The Wi-Fi-tooth-washer is touted as the world’s first "interactive electric toothbrush,” and a perfect addition to the “well-connected bathroom.” Quite the feat, I’m sure you’ll agree! The only passing mention of security is an encouragement to keep the accompanying app updated, although a quick search in the app store shows that the version referenced is two behind. Awkward. For these types of appliances, however, my question isn’t “How much damage could a hacked toothbrush do” as much as it is “Why?”
An attacker most likely wouldn’t hack your toothbrush software to rev it up to an enamel-destroying fury, but the trouble lies in the sum-total of your IoT footprint. While getting ahold of your toothbrush, refrigerator, toaster, etc. might not be the payout for an attacker, it could be a feasible entry point to your network and more important information—especially if you reuse passwords! If you don’t need it, turn the Wi-Fi/Bluetooth off and skip it.
Once more for the people in the back: the majority of IoT devices I looked at appear to rely solely on regular app updates for their security. Back to Week One again, keeping apps updated, especially when they’re directly gathering information from you via a device, is essential. Do it, do it.
Pro-Tip: IoT Consumer Evaluation 201
Tod’s IoT purchasing recommendation is to look at CVEs. CVEs are security industry 101, but advanced-level for consumer security. CVE stands for Common Vulnerabilities and Exposures and is essentially a coded list of potential security problems. If a hole is found in the software of a device and reported to the Department of Homeland Security, which sponsors the CVE, it will be added to the list. It is a long list. A lot of CVEs have since found fixes—looking their entry up will tell you this—and some have not, ie: are still unsolved threats.
For IoT devices, Tod’s security expert recommendation is to check the CVE library for the device you’re looking to buy. If it has no CVEs, it’s probably too early in the device's release to have found any… would hold off on purchasing. All software has holes. If there are multiple unfixedCVEs, that reflects poorly on the manufacturing company’s commitment to security...again would hold off. The sweet spot is having a few fixed CVEs which show that the device has been security tested AND that the company is responsive to security issues. Win-win.
Stay tuned to VentureFizz as my “Security Crash Diet” continues to roll on!