[German]Interesting aspect I stumbled upon recently. It's about the question of how Internet of Things (IoT) devices threaten IT security. Because in addition to often serious vulnerabilities in their firmware as well as lack of updates after a short time, there is another problem area. Many devices have built-in WLAN or Bluetooth chips without users being made aware of this when they are sold. The next security issue is emerging.
More and more Internet of Things (IoT) devices are finding their way into home and business environments. There are the surveillance and security cameras that diligently transmit data to the manufacturer, while being open to third-party access via vulnerabilities. From smart TVs to smart speakers like Amazon's Alexa to doorbells or IoT-enabled home appliances, the parts can be found. Even heaters are being equipped with something like this. And the vacuum robot that scurries through the apartment is an excellent spying tool.
The fact that security is a poor relation is no longer a real secret. Firmware with serious security gaps, missing updates that make devices usable for attackers or allow access to virtually anyone, or disabled servers of the manufacturer that make the IoT devices unusable have occurred frequently in the near past. Also, the supply of firmware updates to fix vulnerabilities is often not given.
Radio chips open new attack vectors
Via this blog post I became aware again the other day of a threat that many users don't have on their radar. Rob Braxman writes that many IoT devices these days have communication chips, such as for Bluetooth, built in. And people are setting up Bluetooth communication between wearables and their smartphones.
But many users don't realize that these IoT devices can communicate with each other without being noticed. Who knows exactly what their IoT devices are doing and what communications are going on with third parties. I've already had one or two posts on the topic here on the blog (see, for example, Strava expose private data to nearby users, check your privacy settings).
Braxman writes that devices often establish secret communications with other IOT devices unnoticed or unwanted by the user. That happens via protocols such as Bluetooth LE, Zigbee, Thread, 802.15 and LoRa. Many users are unaware of this because it is not explained or communicated to buyers when they purchase these devices; in some cases, it's not even in the device's instructions.
Braxman cites the case of Amazon Echo being made to work with the Amazon Sidewalk Mesh network and writes that other networks in operation enable just such a thing, saying that many of these capabilities are completely unknown to the broader user base. Braxman questions whether we'll hunt down the next wave of cyber-attacks through this avenue, and links to devices that could be used to probe and/or disrupt communications at the end of the article.
The article gets a video from Braxman at the beginning in which he addresses the issues. The issues he touched on are already of interest. First and foremost, the IoT approach to buying devices needs to be critically examined. For years, people have been bringing security vulnerabilities into their own environment via cameras, fitness trackers, smart speakers, doorbells, smart TVs, and now even cars and remote controls, which are going to be a nasty surprise.
Cookies helps to fund this blog: Cookie settings