ISSUE 378|COMPUTERSHOPPER|AUGUST 2019
WHAT’STHISNOW?
Right, you know all the smart speakers, connected fridges, cameras and
robot vacuum cleaners that you can easily wasteahealthy amount of
moneyonfor tech kudos? Well, there’s agood chance theyaren’t
particularly secure and could be hacked either directly or through
the network theyare connected to.
That’s not to sayyour Google Home or Amazon
Echo speaker is ahacker’s delight, but securing such
devices can be tricky, as smart home technology is
still rather new and the sector is filled with all
manner of companies making their own smart kit.
This is good news forpeople who want asteady stream
of new gadgets, but it’s bad news forfolks paranoid about
security,asthere aren’t really any solid widely adopted standards
of security forthese gadgets to conform to.
And then there are small internet-connected devices that fall under
the Internet of Things (IoT)banner,including networked sensors.
These devices don’t always have the space or onboard processing
power to secure and encrypt the data theysuck up and communicate
back across anetwork or the wider internet.
SOUNDSWORRYING...
It is alittle,which is why the UK government is trying to set some
proper standards that smart home and IoT device markers will need to
conform to if theywant to peddle their wares to us.
Last year,the government’s Department forDigital, Culture,Media
and Sport published acode of practice forensuring that security was
considered at the design stage of smart and IoT devices, rather than
slotted in as an afterthought or ignored.
This ‘Secure by Design’code of practice was voluntary,although
companies including Samsung, Panasonic
and Hive quickly adopted it. But it doesn’t
force device makers intocomplying with its
security guidelines.
The government is now looking at
introducing alabelling scheme whereby
devices that conform to security standards
are clearly marked, therebyallowing
consumers to separatethem at aglance from
devices that don’t have up-to-scratch security.
ABITLIKECEMARKS?
Pretty much. These secure labels will work in asimilar waytothe
certification mark that shows an electronic device conforms with
the health, safety and environmental protection standards of the
European Economic Area.
What isn’t clear under the label proposals, which are at the time of
writing undergoing public consultation, is what will happen to devices
thatdon’tconformto thesecuritystandardsandthusdon’tgetlabelled.
If the labelling is enshrined intoUKlaw,itcould mean that retailers
might be forced to yank devices that don’t have the security label off
the shelves. Or it could mean that devices with the labels will end up
with acompetitive advantage over those that don’t, as people are likely
to choose amore secure device over one with less protection.
THISSOUNDSPRETTYSENSIBLE,RIGHT?
Yes, at least on the surface.It’s astepinthe right direction when it
comes to smart tech and IoT device security,atleast in the opinion
of Dr Ian Levy,technical director at the National Cyber Security
Centre (NCSC).
“Serious security
problems in consumer IoT
devices, such as preset
unchangeable passwords, continue to
be discovered, and it’s unacceptable that these are not being fixed by
manufacturers,”hesaid.
“This innovative labelling scheme is good news forconsumers,
empowering them to make informed decisions about the technology
theyare bringing intotheir homes.”
There are afew caveats, the first being that such labels aren’t a
guarantee of robust security as dodgy hardware makers could simply
fake them in the same wayCElabels get
faked. The second issue is who’s going to take
responsibility forchecking devices conform to
the government’s security standards.
It might be acase that companies
self-certify,which could be amurkybusiness,
or an independent body might be needed to
check that the standards are being met and
are updated to reflect the changing nature of
technology and evolving cyber threats.
There’s potential here,and we stress we’re basing this on
speculation, that hardware makers will have to spend more time and
effort intomaking their gadgets more secure and thus need to ramp
up the cost of their products. This opens up the possibility of having
amore secure device that might cost more than one that’s easily
hacked but comes at atempting price.ISSMARTDEVICEHACKINGREALLYATHREAT?
If amalicious hacker were able to get access to asmart thermostat,
theycould playhavoc with ahousehold’s heating, potentially ramping
up energy costs or damaging the system. But other than messing with
someone’s life, there’s not alot forahacker to gain from that.
However,hackers could also use smart devices as away of
infiltrating ahome network and then snoop or steal data flowing
across the network, snatching unencrypted passwords and login
credentials foronline services.
Another and perhaps more surreptitious hack is one that hijacks a
smart device and uses it to form abotnet, avast network of devices
with some level of computepower that can be used to fuel distributed
denial of service attacks or spread malware at high volumes.SmartdevicesecuritylabellingThegovernmentwants to setsecuritystandards forsmart and IoTdevices“It’s unacceptable thatserioussecurityproblems in IoT devices arenot being fixed by manufacturers”