Cyber Resilience

IoT: Never assume, never trust, always verify

22 November 2021 | Scott Nursten

How to stay secure when even your fridge can hear you

Internet of Things now has many names: Internet of Operational Things, or Industrial Things. Perhaps the most fitting term for our hyper-connected world is Internet of Everything.

Any home could now contain a smart fridge, smart watch, Alexa device, fitness tracker, doorstep camera. We can order wine, control our lights and monitor our body fat with voice activated tools that once belonged in science fiction. But all this convenience comes with a trade-off: every connected device is also a potential attack vector. However, in real life as in fiction, the shiny, convenient side of tech is the focus, rather than the inconvenience of losing your data or worse.

The most disturbing case recently involved Cayla dolls - toys that, via Bluetooth, doubled as child monitors and could be easily hacked by phone from 50 feet away. Researchers discovered someone could watch, communicate and share footage of kids, through the very device designed to reassure parents of their safety.

German Telecom watchdog, Federal Network Agency, designated the toy a spy and banned it. All Cayla dolls must now be certified destroyed in Germany, or owners face a €25,000 fine.


Assumption + trust = massive security issue

Because they are so convenient, we trust our smart devices to the point where we assume they are secure by design. The distance that trust must stretch is the entire length of its supply chain. 

New call-to-action

IoT supply chain security is so pressing, that ENISA, the European Union Agency for Cybersecurity, published a lengthy report in November 2020: Guidelines for Securing the Internet of Things. Every aspect is covered, from conceptual design to end user delivery and maintenance. In conclusion, the need to ‘take a comprehensive and explicit approach to security’, is listed, amongst others.

Assuming a device is safe is extremely dangerous – and we’re not only talking hacking. Alexa records often, even when you don’t ask it to. Samples of your voice are captured and analysed in the cloud, to improve the service you receive. If you work in regulated financial or legal services, for example, often under NDA, imagine a sensitive call being recorded. Then imagine it shared in the public arena.

Every time you use a connected device, you are putting trust in the entire supply chain involved in IoT. If your device is from Microsoft or Apple, you’re not only assuming those singular organisations are safe, but that the millions of people collectively working for them, their suppliers, delivery and maintenance people are trustworthy too. This is a big mistake.


There are no IoT security standards

Another need identified in the ENISA report is to ‘leverage existing standards and good practices.’ Unlike with other consumer items, there is no BSI or international standard badge for IoT goods.

If a part is made in China and then travels into Korea for use in other devices, it crosses borders and standards. None of them are being uniformly security tested because no such standard exists. It will undoubtedly emerge in the future but until then, we have to rely on what we already have.


Your security camera, the potential attack vector

Any connected device can become an attack vector, with security cameras a particularly potent example. Cameras are shipped with default usernames and passwords, which are mostly available online.

Using only a normal web browser, it’s incredibly easy to access cameras all over the world. In the hands of a skilled hacker, your security camera can become a key to your physical premises and, via their connected Linux servers, a ‘jump host’ onto your network. The same goes for printers and any other connected device.

Users of Eufy security cameras reported being able to access other users’ accounts, allowing them to view both live and recorded video. They could also control others’ cameras. Eufy says this bug is now fixed. The critical takeaway here is that cameras should not be placed in personal spaces or rooms where confidential information is discussed. Better still, use them outside only.


Zero trust

The only safe way to use a connected IoT device is to assume it is not trustworthy. Making your staff aware of the attack surface anywhere they may work is critical and should be part of your cyber resilience strategy.

You can have top security tools on your corporate network and devices. If your staff work in their hyper-connected homes, your data can be compromised. Educate them. The more IoT devices in their home or your office, the larger the attack surface. 

People say their passwords out loud, or discuss highly sensitive projects – and someone could be listening in. What about biometric data? If you have cameras and voice-controlled devices in your home, your image and voice pattern – now critical elements of personal ID and access to many protected platforms – are being stored somewhere. Do you know where?


Questions for IT

How are we ensuring our staff are cyber aware?

Can you show me proof that all IoT devices are being monitored, scanned and tested?

What is our protocol around remote working and home IoT devices?




This article was originally published in Platinum Business Magazine