Five Product Security Questions Nobody At CES Wants You To Ask
The annual Consumer Electronics Show kicks off in Las Vegas this week. With rivers of ink spilled on cool, new “smart” products, here are five impertinent security questions that no vendor wants to be asked.
The Consumer Electronics Show (CES) kicks off today in Las Vegas. This year’s show is expected to draw some 150,000 attendees from 150 countries. Even though high profile firms like Apple and Microsoft are giving the event a miss, there will be 3,200 exhibitors including most of the world’s major electronics and consumer device makers – Sony, Samsung, LG, etc.
If this year is like other years, CES will be a parade of tricked out consumer goods. There will be TUSs (Televisions of Unusual Size) galore. And there will be loads of new, “smart” devices to connect to your home network.
In the rush of excitement about these new devices and their abilities, questions about security and privacy almost always are left unasked. But if you’re lucky enough to be going to CES, and you’re a reader of this blog, I’ve put together this short list of impertinent – and important- security questions that you can ask any connected device vendor. Feel free to add their responses as comments below.
1. Which of my data does [product name] collect? What does it do with it? Where does it store the data? And how does it protect the data from unauthorized access?
OK, that’s more than one question, I know. But the most important question you should ask of any “smart” device maker is the old Roman adage “cui bono?” Or, “for whose benefit?” While they may not be up front about it, many “smart” and “connected” device makers see their consumer products as a beach head into your personal life, with the goal of harvesting all manner of personal information that can be used to upsell you products and services. In other cases, device makers may have outsourced work to a third party cloud provider in a way that is risky. In his analysis of the IZON home surveillance camera, DUO Security’s Mark Stanislav found that IZON had contracted with the video monitoring firm IntelliVision to monitor video alerts captured by its home surveillance cameras. It turned out that videos captured by IZON cameras were being lumped together and stored, unprotected, in a virtual container on Amazon’s cloud service. Another bit of Latin: caveat emptor. Buyer beware.
2. Was this product independently audited by an application security expert prior to its release? If so, what kind of testing was performed?
This question will mostly get you blank stares on the floor at CES, but its worth asking. Despite being targeted at consumers who, generally, don’t know any better, many connected devices – even those manufactured by well known brands – receive little or no testing for common application security problems prior to being released. Application security experts who have studied “smart” products of various types say many are vulnerable to remote attacks that leverage features of the device to inject malicious code, giving unknown assailants control over the device. Ideally, a company will have hired a qualified professional to perform dynamic testing on any compiled binaries that will be shipped to customers. Such tests are akin to the kinds of “fuzzing” that a malicious hacker would do and are often sufficient to spot many of these problems.
3. How does this product protect communications coming and going?
Connected devices are all about remote access and many rely on cloud based resources to manage user interaction, store data and download software updates. Sadly, too many connected device makers give short shrift to basic authentication and communications security. It goes without saying that any communications to and from the device should be encrypted. The NEST thermostat – a sleek, Linux powered device that has become something of a standard bearer for the “connected device” industry – uses SSL (secure socket layer) and 128 bit encryption to protect data and is hardened to prevent remote attackers from accessing it. But for every NEST there’s an IZON home surveillance camera listening on all ports and with nothing save a local wi-fi password to protect it from the big bad world.
4. Does this product run Java, Webkit or other third party software?
Let’s face it: connected devices are just PCs by a different name. Most run versions of standard operating systems (Linux is a favorite). And, when it comes to building features quickly, most companies just rely on third party code – open source libraries or ready-made drop-ins like Webkit for rendering HTML and web content. But that leaves the devices open to the same attacks that are used against more traditional endpoints. Security researchers found, for example, that Samsung Smart TVs could be compromised using attacks that worked on other devices that use the Webkit rendering engine. Understanding the risk that a connected device might pose to your personal or corporate data requires some knowledge of what’s under the hood. And, as Veracode has often noted, that includes “not developed here” third party code, as well. Don’t be afraid to ask.
5. What default security features does this device have?
Connected devices are just networked devices, so ask the same questions you’d ask about any device you were thinking of deploying on a network: does it have a firewall? Does it enforce strong and secure authentication like requiring strong user passwords and limiting password retries? Does have mature logging and alerting features that will allow you to figure out how the device has been interacted with? If a vulnerability is found in your product, how are customers notified and how can they update the firmware or software? Is there an auto-update facility? If so, is that mechanism secure and are the software updates cryptographically signed to ensure authenticity?