As the research lead for IoT technology at Rapid7, I am often asked what consumers should do to protect themselves when purchasing and using IoT technology—particularly as the holiday shopping season kicks off on Black Friday.
This is a very difficult question to answer, as vetting technology often requires highly technical knowledge and an in-depth understanding of security topics and vulnerabilities. However, in our increasingly technical world, it’s becoming critical to become exposed to these concepts so you can better understand these issues and make more informed decisions.
To start, I recommend adding security to the list of things to investigate as you start to research products for the latest and greatest features. The following are some tactics you can use to determine the security of IoT products and environments:
Research product vulnerabilities
You can learn a lot about a vendor and its security mindset by researching past product vulnerabilities and how the company responded. For example, when looking at purchasing any smart technology such as TVs, Bluetooth speakers, home automation technology, and smart appliances, start the process by googling the following:
Vendor name + product type or model number + keywords such as “vulnerability,” “exploit” and/or “security”
Now, don’t be shocked if you return a list of issues and vulnerabilities—that’s fine. You can easily expect to see vulnerability findings in most products reported over the years. What you should look at is how the vendor handled those issues. Did they fix them? And if so, did they fix them quickly on their own or only after researchers published the vulnerability information?
Vendors that quickly patch their reported vulnerabilities should receive an A grade. Those that don’t patch quickly should receive a B. Those that don’t patch until they are forced to get a D, and those that make no effort to fix their vulnerabilities at all should be avoided at all cost.
Evaluate how vendors approach security
I also find it valuable to know whether vendors have a proactive security program that shares information about their product security and makes it easy for security researchers or consumers to report any discovered security issues. Again, this can often be quickly discovered with a Google search, such as the following:
Vendor name + keyword of “security” or “report security vulnerability”
For example, here are a few vendors and their approaches:
Unfortunately, not all manufacturers have advanced their security program to support security-minded researchers and buyers, so it can be difficult to track down the needed information on vendors’ product security and ways to report an issue. Or, in some cases, the information may exist online but is not accessible in a user-friendly way. If this is the case, you can also track down a vendor’s policy and security-related customer report information by emailing customer support or posting on customer message boards.
Don’t hesitate to contact vendors about their approach to security. If they are not willing to share information and help you, it’s a good indication that they may not put security high on their priority list and that you should probably avoid their products.
Treat the user manual as a security resource
Product user manuals are another valuable resource that can be used to make yes/no buyer decisions as it relates to security. Most (if not all) vendors now publish their product user manual online.
To dig into this further, I took some time to peruse a few product manuals for some smart TVs currently on the market. I wasn’t looking for vendors to tell me how great their security was—I wanted information that would add value and possibly teach me about what security features they have and what I should know as a consumer.
For example, as I looked through the manual for a Sony TV, a couple security-related recommendations were provided to the customer, such as the following:
“For security purposes, be sure to remove all personal and account information before discarding, selling, or passing your TV to someone else by: unlinking/unregistering, signing out of and deactivating all network services, as well as factory reset the TV.”
“When [A new TV system software update is available…] message is displayed, Sony strongly recommends you to update the TV software by selecting [Update Now].”
Recommendations such as these are very important for customers to maintain their personal privacy and the product’s security.
Research product security patching
Patching products to avoid security issues is critical. Never assume a product you have purchased is currently patched to the latest security level.
For example, a recent non-brand-name iPi camera I purchased never prompted me for updates during installing but was later found to be vulnerable to an unauthenticated remote code execution vulnerability (CVE-2017-17105).
Quality branded products will most often prompt you during setup to update to the latest firmware, but this isn’t always the case. So, while installing all new purchases, make sure you update even when not prompted. The management or installation application will most often have a feature for checking updates, so make sure you force a firmware update check and installation.
When it comes to purchasing smart technology for personal use or as gifts, I always recommend buying brand-name products. Cheap, off-brand products may work perfectly fine, but they can often have substandard security. Brand-name vendors have a reputation to protect and are often a little more proactive with their product security and quicker at fixing security problems when issues do arise.
When it comes to deciding which smart technology to purchase this holiday season, taking additional steps to ensure device security can help keep you and your loved ones more secure. Also, if you are buying tech as a gift for someone else, be sure to share the details of your product security investigation. This way, they can benefit from your research and further understand the importance of security.