New findings were recently published, uncovering security flaws in two increasingly popular IoT household devices: a Wi-Fi connected garage door opener and a “smart ring’, which, among many uses, utilizes NFC to open door locks. I’d like to use these cases as examples of a growing concern in the area of product security.
The industry of consumer devices has seen some a significant improvement for security in recent years. For example, just a few short years back, nearly every consumer router shipped with a default username and password which represented a serious security concern for many home networks. Many households did not opt to change said passwords. Nowadays most routers at least ship with a unique password printed on the physical device itself, which dramatically increases the overall network security.
Although most consumers still utilize physical keys to secure the front door to their homes, the introduction of NFC enabled home door locks brings both convenience and potentially compromised security. Design insecurities could allow an attacker to easily clone the NFC Ring and gain entry to a home utilizing an NFC enabled smart lock.
While the NFC Ring modernizes household security, the convenience that comes with technology adoption also introduces a security issue. The issue here is at a higher level; where and do we draw the line for convenience versus security? The numerous benefits technology enhancements bring are often exciting and highly valuable; but many are unaware of the lengths cyber criminals will go to.
What can be done? The responsibility is shared between consumers and manufacturers, and there are a few options:
- Proper cyber hygiene. Consumers have a plethora of tools at their disposal, even when security concerns do manifest. Try your best to implement a strong password policy, utilize two-factor authentication when possible, and update/patch quickly when issues arise.
- Do your research. Consumers should ensure they are aware of the security risks associated with products available on the market.
For product manufacturers:
- Manufacturer supported awareness. Product manufacturers can help by clearly stating the level of security their product provides in comparison with the technology or component they seek to advance.
- Vulnerability disclosure. Cyber criminals are always tracking flaws which they canuse to their advantage; conversely, threat researchers are constantly working to uncover and secure product vulnerabilities. By partnering with researchers and responding quickly, vendors have a unique opportunity to stay ahead of the competition by earning the consumers trust.