A study was conducted into the security level of a number IoT devices, ranging from children’s GPS watches, to sex toys to baby monitors. From a relatively small pool of devices the research group found 27 serious vulnerabilities that put the devices – and potentially the users – at risk.
Once discovered full details of these vulnerabilities were submitted to the relevant manufacturers. The responses from many of the manufacturers was disappointing. Some refused to acknowledge there was a problem, others took no action at all or did not respond at all. Luckily there were also some who patched the vulnerabilities and thanked us for our work.
Every day new IoT devices are released to the market. Many of these are designed to interact with other devices, with complex interactions between the devices and with wider internet services. So it is crucial that cyber security is high on the agenda during the development process. As an organization dedicated to cyber security we find it alarming that there is a very lax approach to security from so many vendors.
The adage ‘prevention is better than cure’ is particularly valid here and we always advise that the security (and safety) of a product is considered as an important aspect of the development process. Despite many high-profile cases of devices that have failed in terms of cyber security, many manufacturers still prefer functionality over security, shipping “functional” but vulnerabale devices to the market. In the long term, this creates security (and sometimes safety) risks for customer, manufacturer and society as a whole.
Molenaar believes that product manufacturers should be obliged to provide products with security updates throughout their entire useful life. In addition, they must immediately inform the customers of any vulnerabilities found in their products. Products that, despite these protections, are still unsafe from a security perspective should disappear from the market. In the United States there are already some states where ‘reasonable security’ is required by law. Within Europe this legislation is still under development, but is expected to arrive late 2020 or early 2021.
Luckily, the market in general, and particularly retailers, are becoming more aware of the risks. For example, online retailer bol.com sold two unsafe devices that would not receive any updates from the vendor:, the Sannce Smart Baby monitor and Svakom Siime Eye vibrator. Following the report, both devices were withdrawn from the market and are no longer being sold by bol.com.
“It’s good to see that when manufacturers don’t take action, retailers stop selling these products!” - Willem Westerhof, Hacking & Testing , Eurofins Cyber Security.
If you do not have the right in-house knowledge regarding cyber security, then have a chat with us, we are happy to help!
Our hacking tests can help you identify the problems and vulnerabilities before cyber criminals discover them. In addition, we also give you advice on how the vulnerabilities can be solved in the device tested and how you can prevent similar vulnerabilities in future products and devices. If you want to, we can even determine whether you are compliant with one of the many IoT security standards (ETNI, ENISA, DCMS etc.) out there. By working in this way you, as a manufacturer will have the assurance that you are bringing secure products to the market!