X

For CES 2018, security of connected devices still a core fear

Internet-connected devices will be all the rage at CES, but security experts see the trend setting us up for future attacks.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
6 min read
James Martin/CNET

CES, which kicks off Sunday, is supposed to be about making your life better with technology.

An internet-connected ball that watches your pets. Beauty care that uses connected devices to personalize hair products. Connected sensors for your home water system to combat leaks and waste. Even Las Vegas, the city that plays host to CES, the world's biggest consumer electronics show, is embracing the internet of things to become a smart city

While gadget makers see such devices powering our future, security experts view the potential pitfalls from all those connected gadgets as more of a sleeping giant. And watch out when it wakes up.

It's the dark side of connected devices that nobody wants to talk about during a week when the consumer electronics industry beats the drum about smart homes, connected cars and everything else. Hackers often go after the weak link of a security chain, and the attacks over the past year have increasingly shown that it's internet-of-things devices with questionable defenses that make for easy targets.

It's not like the public doesn't understand. While consumers see the benefit of connected devices, only about one in 10 people said they fully trust the gadgets to keep them secure, according to a survey from Cisco.

What they may not grasp is the sheer flood of products coming to the market. In 2017, there were 8.4 billion connected devices. The volume is expected to hit 20.4 billion by 2020, according to analyst firm Gartner. The defensive capabilities of these devices will vary greatly.

"It's hard to evaluate the security of a camera, or a doorbell, or something you put in an industrial machine," said Michael Kaiser, the executive director of the National Cybersecurity Alliance. "The surface is growing quickly and I think people are concerned."

Hackers have known about IoT devices' weak defenses for a while, taking control of single-purpose gadgets like cameras and DVRs around the world to create botnets, a vast army of devices they can use to launch attacks online. In October, for instance, researchers at Netlab 360 discovered the IoT_reaper botnet, which was hijacking more than 10,000 devices a day.    

Corero Network Security estimated that companies get hit with eight attempted distributed denial-of-service attacks a day, a phenomenon it attributed to the growing number of unsecured IoT devices.

Weak IoT devices are what led to a massive internet outage in 2016, when the Mirai botnet -- using thousands of hacked DVRs and webcams -- assaulted servers in New Hampshire. Hacking IoT devices was even a major plot point in the latest season of HBO's "Silicon Valley." (Spoilers ahead!)

For security experts and hackers, CES is more of a preview of vulnerabilities on upcoming products rather than a peek at new gadgets. The flood of gadgets every year at CES with the lack of security is becoming "problematic," said Ashley Boyd, vice president of advocacy at Firefox maker Mozilla.

She said there have been too many IoT products and and not enough customers who know what they're getting in terms of privacy and security. It's what led her to help build *Privacy Not Included, a guide to what IoT devices are secure and how much they know about you.

"Many of the products that are higher-end do have protections, but most of the cheap ones don't," Boyd said.

Outdated gatekeepers

New IoT devices may be secure at CES and when they hit the shelves, but that's only as long as people continue to update them. There are always newly discovered vulnerabilities, and once a device misses a security patch, it's only a matter of time before it's open to the latest exploits.

That's why millions of IoT devices were considered "ideal targets" for KRACK attacks, which exploit a vulnerability in Wi-Fi systems, even as that flaw was patched almost immediately on computers and phones.

The issue comes from both ends. Companies can be slow to send updates, or they flat out stop updating older devices. People often ignore update prompts or don't even know they're available.

"If you need to take additional steps to update it, that's an insecure device," said Alex Balan, a chief researcher for security company Bitdefender. "That's something that will eventually get hacked."

Balan saw it first-hand with a critical vulnerability the company discovered in 2016 on a smart plug. The flaw allowed attackers to take over all your outlets remotely and shut off the power. Bitdefender contacted the manufacturer, but when its update came, it was a file that could never be applied, Balan said. Bitdefender didn't reveal the name of the smart plug maker.

"They pushed an update, but literally nobody applied it," Balan said. He even tried applying it himself and found it impossible.  

Even if the companies push out updates, if people aren't applying them, it's meaningless. Kevin Haley, a director of security response for the security company Symantec, said his advice on IoT devices has mostly fallen on deaf ears.

He said the issue comes from a lack of simple solutions, those that come automatically without you having to worry whether your smart refrigerator has the latest patch. He noted that it's not realistic to expect everyone to become security experts, and it's the industry's responsibility to make it as easy as possible for customers.

"We put together best practices for IoT devices and the first one was to research the manufacturers," Haley said. "I don't think anybody does it."

Creating an ecosystem

So if security updates are the only line of defense for IoT devices, and an embarrassing track record shows that they're mostly ineffective, why are so many companies relying on them?

"We're putting Band-Aids on things," said Phil Reitinger, the president of the Global Cyber Alliance. "The only solution in the long term is we build an ecosystem that defends itself."

Security researchers like Balan and Haley are looking for a different way to prevent hackers from attacking IoT devices, focusing on the source: the connection online. In this ecosystem, you'd protect the source, where all the devices in the home, including phones and computers, connect to, instead of securing every single gadget.

Both Bitdefender and Symantec have their own internet security hubs, essentially serving as routers with defenses built in. It means that even if your IoT device is outdated, if it's connected to their secure router, it should remain safe.

nortoncore07-1.jpg

Symantec introduced the Norton Core at last year's CES, looking to secure IoT devices at the source.

Symantec

Symantec introduced its Norton Core at CES 2017, a $200 router that costs $99 a year to keep up with security updates. All traffic headed to the connected devices has to go through the router, including attacks. That means it's watching out for the latest exploits.

The subscription fee is for security experts who pay attention to the latest exploits and make sure any devices connected to the router are protected. Haley said the average house using Norton Core has seven connected devices.

That would mean instead of updating seven different devices -- if they even get them -- you just need to worry about the router.

Bitdefender Box 2 package

Bitdefender Box 2 offers security for outdated IoT devices, with a $99 yearly subscription. 

Bitdefender

Bitdefender is taking a similar approach with its $250 Box 2, which CES named an honoree in innovation for cybersecurity for 2018. The subscription fee is also $99 a year. It can tell when attacks are coming over the network, and Bitdefender security researchers are also paying attention to new exploits. 

"We know how the vulnerabilities can be exploited, and we update to block for those types of attacks," Balan said. He said these automatic updates can come as frequently as once every three hours.

By making the updates automatic, Balan said, the device avoids the complicated pitfalls that so many IoT devices suffer from. And he noted that Box 2 would never stop receiving security patches. In fact, he said he'd rather see the product die out than ever see it hacked.

"We would rather lose the customer who doesn't upgrade to a new version, kill the product, than have a vulnerable product on the market," Balan said.

IoT is set for a rapid expansion, and it would be an exhaustive effort to make sure every single one of the billions of devices headed on the market will be secure for the rest of their digital lives.

For security companies showcasing their gadgets at CES, they're hoping their subscription-based defenses will be enough to keep that "sleeping giant" from waking up.

"It's going to have to be people like us providing simple solutions," Haley said. "We're not going to turn every person into a security expert. It's not realistic." 

CES 2018Stay tuned to CNET for all of the big news from the show floor.

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.