A study was conducted into the security level of a number IoT devices, ranging from children’s GPS watches, though sex toys to baby monitors. From a relatively small pool of devices the research group found 27 serious vulnerabilities that put the devices – and potentially the users – at risk.
Once discovered full details of these vulnerabilities were submitted to the relevant manufacturers. The responses from many of the manufacturers was disappointing. Some refused to acknowledge there was a problem, others took no action at all and some simple did not respond.
Every day new IoT devices are released to the marketplace. Many of these are designed to work with other devices, with complex interactions between each and the wider Internet. So it is important – no, crucial - that as part of the development process cyber security is high on the agenda. New devices need to be designed with an awareness not only of the latest vulnerabilities but also with a fundamental regard to safety – the safety of the Internet and the user. As an organisation dedicated to cyber security we find it alarming that there is a very lax approach to security from so many vendors.
The adage ‘prevention is better than cure’ is particularly valid here and we always advise that the safety of a product is considered as an important aspect of the development process. Despite many high-profile cases of devices that have failed in terms of cyber security, it is still that case that often a manufacturer will prefer functionality to safety. In the long term, this creates safety risks for both customer and manufacturer.
The Importance of Cyber Security
Molenaar believes that product manufacturers should be obliged to provide products with security updates throughout their entire useful life. In addition, they must immediately inform the customer of any vulnerabilities found in their products. Products that, despite these protections, are still unsafe from a cyber security or safety perspective should disappear from the market. In the United States there are already some states where ‘reasonable security’ is required by law. Within Europe this legislation is less advanced.
However, the marketplace, and particularly retailers, are becoming more aware of the risks. For example, online retailer bol.com sold two unsafe devices, the Sannce Smart Baby monitor and Svakom Siime Eye vibrator. Both failed security tests and you can no longer buy either product from them.
“It’s good to see that when manufacturers don’t take action, retailers stop selling these products!” - Willem Westerhof, Hacking & Testing , Eurofins Cyber Security. The input and feedback from a retailer, whose reputation, along with the manufacturer, is likely to be affected by substandard products is increasingly important.
If you do not have the right knowledge in respect to safety and cyber security then please talk with us, and we will be happy to help, whether it is an informal discussion or the design of a more formal test plan.
Our hack tests can help you identify the problems and vulnerabilities before cyber criminals discover them. In addition,we of course also give you advice on how the vulnerabilities can be solved in the device tested and how you can prevent similar vulnerabilities in future products and devices. By working in this way you, as a manufacturer will have the assurance that you are bringing the safest products on the market.