Security questions that will take the smile off the enthusiastic vendor at CES

By Kevin Bailey, Head of Market Strategy. 

The Consumer Electronics Show (CES) happened last week in Las Vegas. Whilst most of Europe was being battered by severe wind and rain storms and North America is imitating the polar ice cap, there are some 150,000 attendees from 150 countries, basking in the clear skies and sunshine of the Nevada desert.

If this year is like other years, there will be TUSs (Televisions of Unusual Size) galore and there will be loads of new, “smart” devices to connect to your home network. I’ve already seen the App that tracks your families ‘Teeth Cleaning’ habits, the personal ‘Drones’ that fly over the neighbourhood (nice invasion of privacy here and pictures for SnapChat!), a wearable head camera that makes the user look like a ‘Borg’ and every conceivable wrist band that tell you about your bad posture, sleepless nights and faltering blood pressure (always nice to have a piece of plastic tell you everything you probably already know!)

In the rush of excitement about these new devices and their abilities, questions about security and privacy almost always are left unasked. I picked up these really interesting ‘questions’ from a blog by Paul Roberts at Veracode and thought I’d share them with you all. I agree with Paul that they may be impertinent, but they are important, important enough so whether you are at CES, InfoSec or sitting in your office with a vendor, they are the essentials that you can ask any connected device vendor.

1. Which of my data does [product name] collect? What does it do with it? Where does it store the data? And how does it protect the data from unauthorized access?

OK, that’s more than one question, I know. But the most important question you should ask of any “smart” device maker is the old Roman adage “cui bono?” Or, “for whose benefit?” While they may not be up front about it, many “smart” and “connected” device makers see their consumer products as a beach head into your personal life, with the goal of harvesting all manner of personal information that can be used to upsell you products and services. In other cases, device makers may have outsourced work to a third party cloud provider in a way that is risky. In his analysis of the IZON home surveillance camera, DUO Security’s Mark Stanislav found that IZON had contracted with the video monitoring firm IntelliVision to monitor video alerts captured by its home surveillance cameras. It turned out that videos captured by IZON cameras were being lumped together and stored, unprotected, in a virtual container on Amazon’s cloud service. Another bit of Latin: caveat emptor. Buyer beware.

2. Was this product independently audited by an application security expert prior to its release? If so, what kind of testing was performed?

This question will mostly get you blank stares on the floor at any conference, but it’s worth asking. Despite being targeted at consumers who, generally, don’t know any better, many connected devices – even those manufactured by well-known brands – receive little or no testing for common application security problems prior to being released. Application security experts who have studied “smart” products of various types say many are vulnerable to remote attacks that leverage features of the device to inject malicious code, giving unknown assailants control over the device. Ideally, a company will have hired a qualified professional to perform dynamic testing on any compiled binaries that will be shipped to customers. Such tests are akin to the kinds of “fuzzing” that a malicious hacker would do and are often sufficient to spot many of these problems.

3. How does this product protect communications coming and going?

Connected devices are all about remote access and many rely on cloud based resources to manage user interaction, store data and download software updates. Sadly, too many connected device makers give short shrift to basic authentication and communications security. It goes without saying that any communications to and from the device should be encrypted. The NEST thermostat – a sleek, Linux powered device that has become something of a standard bearer for the “connected device” industry – uses SSL (secure socket layer) and 128 bit encryption to protect data and is hardened to prevent remote attackers from accessing it. But for every NEST there’s an IZON home surveillance camera listening on all ports and with nothing save a local wi-fi password to protect it from the big bad world.

4. Does this product run Java, Webkit or other third party software?

Let’s face it: connected devices are just PCs by a different name. Most run versions of standard operating systems (Linux is a favourite). And, when it comes to building features quickly, most companies just rely on third party code – open source libraries or ready-made drop-ins like Webkit for rendering HTML and web content. But that leaves the devices open to the same attacks that are used against more traditional endpoints. Security researchers found, for example, that Samsung Smart TVs could be compromised using attacks that worked on other devices that use the Webkit rendering engine. Understanding the risk that a connected device might pose to your personal or corporate data requires some knowledge of what’s under the hood.

5. What default security features does this device have?

Connected devices are just networked devices, so ask the same questions you’d ask about any device you were thinking of deploying on a network: does it have a firewall? Does it enforce strong and secure authentication like requiring strong user passwords and limiting password retries? Does have mature logging and alerting features that will allow you to figure out how the device has been interacted with? If a vulnerability is found in your product, how are customers notified and how can they update the firmware or software? Is there an auto-update facility? If so, is that mechanism secure and are the software updates cryptographically signed to ensure authenticity?

As one respondent to Paul’s blog remarked:

Yeah, any of these questions will likely get you:
1. Blank stares
2. “Umm, I don’t know I’m not an engineer/You’d have to talk to our engineers about that”
3. “Here’s the card of our {Social Media Director|Marketing Director|Customer Support Manager}, they might be able to help you with that”.
4. “Oh Security…”