Toy case highlights security concerns

Posted On 11 Feb 2016
Comment: Off

innotabmaxOver the last year or so at PSI we have welcomed the opportunities presented by the Internet of Things and the home automation market for the security industry in general. While there are some installers that feel the huge (but still rather lower than expected) growth in demand for integrating much of our home heating, lighting, ventilation, security etc using a smart device is actually a threat to the professionally installed system, there are definitely opportunities in certain areas.

Perhaps the biggest winners in the IoT market will be the technology manufacturers as we see plenty of companies we already associate with professional CCTV systems launching products, often under a different name, into the growing sector. However there is still a major cause of concern for the smartphone/tablet controlled security sector, and again it’s one we’ve covered on a number of occasions, and that is the security of the security product.

Remote access to technology means that systems need 24/7 access to the web and this is an area that has IT experts a little worried as we are opening up new avenues of attack via the network and if intruder alarms and access control systems are sat on the same IP then security could be compromised. This sort of thing could seriously damage a company’s reputation if the system is found to be less than secure and the mainstream media hit upon it, especially as we are still hearing of stories about data breaches with IP equipment. Consider the troubles that toy manufacturer VTech is currently experiencing – and these problems are from toys!

According to the BBC, cybersecurity experts have said parents should boycott or at least be cautious of VTech’s electronic toys because of how it has handled a hack attack. They gave the advice after it emerged that VTech’s new terms and conditions state that parents must assume responsibility for future breaches. More than 6.3 million children’s accounts were affected by last year’s breach, which gave the perpetrator access to photos and chat logs.

David Gibson, VP of strategy and market development at data security company Varonis, said: “Protecting customer, partner and employee data is a business requirement. Imagine if all the medical history questionnaires you fill out at the doctor’s office had a big warning on top, “If someone steals the information you provide here, it’s your problem.”  Or a store saying, “feel free to use your credit card, but we’re not responsible if someone figures out how to steal the number from our systems.” Would you still do business with them? Shouldn’t digital information about children be treated with at least the same care? It’s possible that VTech may have run afoul of the US’s COPPA laws for protecting children’s data. The larger point is that consumers should expect reasonable data security without having to be personally liable.”

Perhaps most chilling comment for those dipping a toe in the manufacture of IoT security technology comes from a VTech spokesperson saying: “No company that operates online can provide a 100% guarantee that it won’t be hacked.”

Javvad Malik, Security Advocate at AlienVault said: “This is a bad stance for a company to take. It’s trying to take a completely zero accountability approach to a product they are selling. On top of that, it could potentially set a terrible precedent for other technology companies.”

Tom Lysemose Hansen, founder and CTO of app security firm Promon, commented: “Introducing a single object into a wireless network that is inadequately protected is a straightforward way of exposing personal data to an intruder.  Part of the vulnerability is due to the ease with which consumer goods can be cracked. If the default passwords are not changed – and I suspect with childrens’ toys this is the case – bypassing them is relatively simple.  A patch can be introduced retroactively, but until then, the device could be a single entry point into an entire private network, enabling hackers to uncover sensitive data or relay false information. The model of using default passwords must be put to bed if IoT is to become an integral feature of domestic life, otherwise its associated dangers will overwhelm any perceived benefits.”

According to Gartner, by 2020 a black market worth more than $5billion will exist to sell sensor and video data extracted from IoT devices. This data will allow criminals to access privately held consumer information through man-in-the middle attacks, where attackers can drain data from customers’ accounts through an approved external request.

Tom Lysemose Hansen said: “The developers of applications are all too eager to crack the simplest and least demanding way of controlling a device remotely but, in order to maintain IoT’s pace of growth without muddying its image, adequate security must be developed in tandem. While the implications of a hacked banking application are widely recognised, wireless consumer goods now pose an uncertain threat.”

It’s relatively early days for the IoT/home automation element that includes security systems and there are clear splits in what the professional security sector feels about it (check out the February 2016 edition of PSI magazine) but if the defence of a manufacturer is that nothing is 100% secure then we need to make sure security is not being compromised by trying to add security.