Consumer Smart Devices Designed ‘Without Security in Mind’, Says Expert

It’s been reported that Internet-controlled devices around the world are being increasingly exploited by hackers, companies, and other independent groups for a wide variety of reasons.
Sputnik

Kayleen Manwaring, a senior lecturer at the University of New South Wales, has shared her view on measures that can be undertaken to protect the data and privacy of consumers.

Sputnik: How is the privacy and data of consumers being exploited and compromised by companies, hackers, and weak security settings?

Kayleen Manwaring: Great question, because it includes not only malicious actors, but it also includes the companies themselves, who manufactured the devices. With the Internet of Things, most of the consumer devices have been designed without security in mind, this is for a number of reasons; one - cost, of course, because it's cost cheaper; secondly, a lot of the manufacturers of these devices aren't particularly competent in the information technology and security space; thirdly, because of the form factor, in the sense that some of these devices have got very limited memory, very limited processing power, they often don't have screens, etc. Some of the normal security processes and protocols that you can put in place are difficult to put into place on these devices. This has resulted in a few exploits by malicious actors. For example, one of the earliest cases of this was in the US, where actually a couple of security camera companies who made Internet security cameras have been prosecuted by the Fair Trade Commission, basically, because they've made these Internet security cameras for the home that can very easily be hacked.

Sputnik: What risks and future problems does this create for consumers and the wider society?

Kayleen Manwaring: The biggest issue is, of course, hackers, malicious actors, or indeed, for that matter, companies who make the devices can take control of your devices remotely. So, they could be thousands of kilometres away and still be able to control your devices, and when that device happens to be mobile, like a car, they can cause physical harm. I mean, people do concentrate on the privacy aspects and the data aspects, and they are very important and very real; but the potential for physical harm is one that I think is a little bit underreported, particularly when a lot of these devices have some form of way where they can affect the physical environment. Not as many as drastic as a car or a gun, but those sorts of devices have been found with security flaws, so that's really problematic. In relation to society, of course, councils and city managements are installing a whole lot of similar devices, like smart streetlights, smart garbage bins, all the city infrastructure that is connected to the Internet, but that is also at risk of being hacked. So, in terms of our city-based Internet of Things, you can, at least potentially, bring down important infrastructure.

Sputnik: What needs to change if authorities are to address this issue, e.g. would specific protocols and codes of conduct solve this issue?

Kayleen Manwaring: Codes of conduct are worthwhile, but only if they're enforceable - the UK has recognised this. The UK introduced a code of conduct for consumer IoT a couple of years ago, but they didn't make it mandatory and they've very recently recognised that it means that not enough people are adhering to it. It's not enough to say "this is good practice". I assume they were hoping that manufacturers would abide by good practice, but the evidence has shown that's not happening or not at the speed the UK government is expecting it. So, what they're doing now is to more enforceable codes of conduct. So codes of conduct that are purely self-regulatory haven't been particularly successful in the IT space. If they've got some heft behind them as in terms of a dedicated regulator who's got some powers and some money behind it, and also some legal consequences to breaches of these particular codes, really is going to be the thing that makes a difference. I would applaud the UK's decision to move on to making the codes of conduct mandatory. I wish my own country would do that. They've just decided to introduce a voluntary code based on the UK code of conduct, but they haven't learned any lessons from the UK around the fact that they've really got to make it enforceable rather than voluntary.

Discuss