The Amazon Ring Tale
“Update: 29/01/2020: so far, when yet more tales of woe (usually regarding the Amazon Ring) come in I have just been adding the stories in the comments section below the original article. However, when an actual Amazon engineer, usually known for their fierce loyalty, sticks their head above the parapet and effectively whistle blows, stating:
“The privacy issues are not fixable with regulation and there is no balance that can be struck. The Ring should be shut down immediately and not brought back.”
We felt this was worthy of an article update. In summary, and to reflect upon the general sentiment of the blog piece, we now appear to have a situation where a household name is selling home security products that one of their engineers says should be scrapped due to inherent security vulnerabilities. If you want to go to Amazon and buy a home security product we suggest you might want to think about a good old-fashioned, 3 star Anti Snap Cylinder (no internet connection required!)”
Here’s an easy experiment for you
Go to Google, and type “Home Security Cameras” into the search window.
At the top of the page, you’ll be presented with paid for results of various WI-FI connected IP cameras.
For the second part of this task take the first manufacturer, in my case, it was the Amazon-owned ‘ring’ suite of home security system products, then simply enter in this search term “XXXX security camera breach” replacing XXXX with the manufacturer’s name.
For ‘ring’, as per the example below, you can see it doesn’t make for pretty reading.
Now do the same with the other vendors, you’ll see the same story again and again. (this also applies to other devices that connect to your wireless network and offer live feeds as a “security feature”, such as baby monitors) …How utterly bonkers is that!?
Devices where their raison d’etre purports to be increasing the security of your home have literally, built-in security vulnerabilities and flaws that could reduce the security of your home.
How can IoT “security” systems have such security flaws?
How can a company build a product that is supposed to make your home more secure and yet because of the inherent vulnerabilities within that product it actually makes your home less secure? Can you believe that people are actually spending money on devices and installing them in their homes that allow unknown entities to spy on your property, your animals and your children?
We’re buying hardware that is supposed to stop intruders getting in, when in fact they can be appropriated by the bad guys and stop us getting into our own home. Often, it’s not so much that the IoT device can easily have its security defences circumvented, instead, it’s that they don’t clearly articulate the need for unique and strong user-credentials and build in fail-safes to stop weak user authentication credentials. Google’s own Nest suite of products has suffered from a rash of unauthorised intrusions.
It’s ever been thus
This isn’t a new thing. It’s an old thing.
The term cyber-security is something of an oxymoron when you think about it. We build expensive wiz-bang computer products, send them out to the market and then finally someone says, “hold on, what about the security?” And at this point, someone else comes up with an expensive wiz-bang security product that you bodge on to the original product, then more vulnerabilities are found so you patch here, update there and so the cycle continues.
Why don’t we build IoT systems with security by design in mind?
Dunno…. Why don’t we build cars that only need servicing every 100,000 miles? Why don’t we build mobile devices that can be upgraded and updated for years? Why do we keep having to buy new razor blades? Why are there so many software security vendors out there?
What do we do about insecure IoT systems?
The thing is, there is a balance that needs to be reached. Firstly, we need to understand what the term IoT, or Internet of Things means. At home, it could apply to your smart coffee machine that starts to brew when you walk through the front door. Whilst at work it could be the network of sensors that dictate when lighting is turned on when HVAC (Heating, Ventilation & Cooling) systems operate and how much power is given to what and when.
In short, the internet of things (IoT) can loosely be termed ‘a series of connected devices with sensors.’
And the work examples are the kicker.
While having a coffee ready to go at the perfect moment is convenient – smart buildings are energy efficient. That is, they save energy. And when used properly, smart buildings can save a lot of energy. And that’s really important. Like saving the planet important.
Same applies to smart highways and smart cities – smart anything really. It’s the core reason why our governments are so worried about getting 5G rolled out on time. It’s not because they want you to be able to view the latest series of Stranger Things seamlessly, it’s because the super bandwidth and low latency are absolutely keys to their plans to increase infrastructure energy efficiency within their borders.
Anyway, I digress… what can we do to make these devices more secure?
In a way, it doesn’t matter whether you are talking about a smart kettle or a smart building, the same principles apply, it’s just a matter of scale.
Let’s go back to your wireless “security” cameras for a moment. Some of these camera’s feature no username or password and many, if they do, have admin / admin as the default. So, you get your camera, you unpack it, you configure it and hey presto you can see inside your living room from your phone while you’re at work …And so can everybody else.
Every connected ‘thing’ has a public facing interface you see. Which means it can be indexed on the web, which means someone can locate it, search on the default password settings for that brand and unless you have gone to the effort of manually changing username / password credentials they can see everything you can see.
And this is just the tip of the iceberg, the Mirai botnet attack,, for example, took advantage of smart devices by utilising security holes and was able to create a botnet army that made much of the US East Coast’s internet inaccessible.
So, the principle remains the same as it ever was.
Never assume your device or system has built-in security, it almost certainly hasn’t. Apply the same methodology to your IoT devices that you should apply to all your usual networks, systems and devices. When it comes to your home, weigh up the benefits of the product versus the potential security pitfalls. Research the device and of course, use strong security credentials. Find advice on creating a strong password here.
The same applies to corporate environments, but in addition, you should:
- Build an asset list, Know what you have, and where.
- Run regular vulnerabilities scanning assessments, Once a quarter at least and whenever new kit is added.
- Run manual penetration tests, At least annually.
Risk Crew has established a detailed and comprehensive methodology for conducting security penetration testing of business IoT, industrial IoT and enterprise IoT solutions designed to give you peace of mind. Testing is scoped based on initial discovery and documentation of IoT devices deployed in your business. Read more about our IoT Security Penetration Testing service here.