Especially at vacation time, it sounds good: A smart home that can also be monitored and controlled remotely – that promises security! Unfortunately, the opposite is often the case: These systems, in particular, are repeatedly affected by security vulnerabilities. In June 2021, a critical flaw was discovered: millions of networked security and home cameras contain a vulnerability that allows attackers to tap into video feeds. People, buildings, and privacy can be spied on, presences and absences or floor plans can fall into the wrong hands. [1]

Critical errors in standard-subcomponents

The described issue was introduced via a widely used subcomponent from a supplier used by various security camera manufacturers. Other IoT devices with similar functions, such as baby monitors and pet surveillance cameras, are also affected. Since a simple standard component causes the problem, even informed consumers cannot tell from the outside which of their end devices are affected. One has to rely on the correct information and corresponding software updates from the manufacturer, which often do not exist or are very difficult to implement.
A lack of standards and often very cheaply priced products mean that IoT devices no longer receive security updates shortly after purchase or commissioning. In most cases, it is also unclear how the consumer learns about vulnerabilities or updates. [2]

Many different systems affected – deficits in “security by design”

Another current example is the Peloton fitness bikes, which were very popular during the pandemic. There, too, a critical but different flaw was discovered: By simply plugging it into the USB port, any firmware – even modified ones – can be installed on the device, for example, to forward data to external parties or to be able to establish backdoor access via the Internet. The vulnerability is due to a lack of verification of the firmware. [3]As soon as the system has an Internet connection, basic security principles should be taken into account in any software development.

Secure systems require regular control and updates

Before you add the latest gadget to your home network, ask yourself: Is the convenience and new functionality this device offers worth the potential risk of a hack or security issue? What could happen if strangers or unauthorized people gain access to data? – If the result is not in favour of a purchase, do without it. Otherwise, the primary recommendations apply: Research whether the manufacturer offers post-purchase or post-commissioning support for each device and brand. Register the system and pay attention to information on the availability and application of software updates. [4]

Also worth reading:

IT security labels for digital devices?

Highest alert level: Remote code execution on IoT devices possible

Quellen: