Christmas gifts: are connected objects secured?
This year, connected objects will be under almost everyone’s tree. Beware, by default, they are not secure.
According to IDC, 50 billion connected objects will be in circulation by 2025. For means of comparison, we are 7.8 billion human beings on earth in 2020. Therefore, in five years, there will be almost seven times as many connected objects as men and women.
The success of connected objects is explained by the appearance of new applications for this technology, but that’s not all… connected objects are remarkably affordable. An advantage that’s also one of their main weaknesses, as manufacturers opt for inexpensive devices and continue to invest little in securing them.
What are the most common weaknesses found in connected objects?
Connected objects suffer from the same weaknesses as most computer equipment. First of all, there are no passwords (or just default passwords) to control the object’s settings, usage, and storing connection settings (such as a Google account, for example).
In addition to these weaknesses, some unsecured connections and components aren’t controlled. For example, last year a connected cooking robot, sold in European supermarkets, designed to be a low-cost version of the Thermomix. This popular kitchen equipment costs more than 1,000 euros, while Lidl’s version, called “Mister Cuisine Connect”, costs 359 euros. Here, an attractive price means lower production costs.
In June 2019, Numerama’s journalists wrote: “We discovered certain features from the device that raised suspicions. Our investigation showed that a microphone was installed in the Mr. Cuisine Connect, its presence was not indicated, and had no apparent purpose”.
And the article goes on to say: “The existence of this unmentioned microphone could have much more severe consequences if someone attempted to hack the device. However, as Alexis Viguié and Adrien Albisetti [the two experts who discovered the microphone] observed, Monsieur Cuisine happens to be running an older version of Android, Android 6.0, with security patches dating back to 2017, which makes the device vulnerable to attacks.
Why put a microphone in a food cooking robot? An article of the French newspaper “L’Express” explains as follows: “The goal is not to bug Cuisine Connect owners, but simply accentuate its connectivity by having a voice command […] The voice command feature should have been mentioned from the get-go of Mr. Cuisine Connects commercialization, but this could not be done for production reasons and lack of time”.
This made it cheaper to choose ready-made electronics and a smartphone operating system rather than designing them. According to a cybersecurity researcher interviewed by ZDNet, “developing a secure communicating product costs at least 10 to 15 percent more than the same unsecured product.
Connected objects: what are the risks?
While cybersecurity seems to be a distant concern for the public, consumers’ risks are very real. Robot cookers with week components are far from being an isolated case. Often, connected objects are used as a gateway by cybercriminals whose attacks are not always detectable (and detected). As a result, these same objects continue to work without alerting their owners, and meanwhile, hackers break into their network and steal their data. In the same sense, all objects with a camera or a microphone can become little spies if they are remotely reprogrammed.
It should be noted that since connected objects are often built from the same hardware or software, the risk of a large-scale threat is very real. As for those related to the owner’s physical integrity, they’re much rarer. It should also be noted that cybersecurity researchers have analyzed many connected healthcare devices. One of the best-known examples was that the American manufacturer had to recall their pacemakers as they could be stopped remotely.
Connected objects: what best practices for everyday use?
Don’t panic, though! There are good practices that can prevent most of the risks mentioned in this article:
- View and customize object settings: change passwords, PIN codes, disable unused connectivity (Wi-Fi, Bluetooth), or send technical data to the manufacturer.
- Don’t bounce from one application to another: connected objects allow you to connect to an application with a Facebook or Google account. It’s preferable to create a unique login and a password for this matter. Ideally, you want to make them difficult to guess and change them regularly.
- Use different passwords for each application or website: many password management applications exist. KeePass, among others, allows you to generate and store passwords in total security.
- Update objects as often as possible: In the vast majority of cases, cybercriminals use old software to their advantage.
Connected objects and default security: dream or reality?
In a report dedicated to connected objects published by Usbek & Rica, the following sentence was highlighted: “We’re still in the prehistory of connected objects”. A simple but true statement. According to a Gartner study, published in Les Echos, “by 2022, half of all security budgets for the IoT [Internet of Things] will be spent on fixes, recalls and security issues rather than on protection.
As a result, players are beginning to position themselves in the market of securing connected objects. BlackBerry, long known for its keypad phones targeting executives, is gradually moving into this new sector. “By 2025, there will be at least 75 billion connected objects in the world, but a single vulnerability could expose them all to a cyber risk,” explained John Chen, CEO of the Canadian firm. His idea: create a platform dedicated to the security of connected objects. “This is aimed at the manufacturers of tomorrow’s connected objects who will want to ensure their products’ security (cars, medical devices, etc.) according to BlackBerry standards. But also for organizations that want to manage and track the use of objects in their factories (robots, sensors) or their employees’ hands (smartphones, computers).” analyses Les Echos.
BlackBerry is not the only company to capitalize on IoT security. Cybersecurity vendors such as Managed Security Service Providers (MSSPs) have been working on security standards for a long time.
Orange, via Orange Cyberdefense and Orange Business Services, is currently developing a security reference system proposed by the GSMA (Global System for Mobile communications Association), covering objects, applications, and networks. Already used for internal IoT risk analysis processes, Orange’s objective is to make connected object manufacturers aware of the need to use such a system to design their products.