In recent years, talk of “hackable toys” has become something of a staple of the holiday season. it’s a wonderful life Also Die Hard (— Christmas Movies). The message of these “hackable toy” stories was almost always the same. Buyer’s responsibility! Buyer beware. These cute interactive dolls, nanny cams, and tablets for toddlers collected tons of sensitive information from children, often in violation of federal law. In the case of , data was not transmitted and stored securely, leading to breaches where sensitive data was leaked.
But this year, you’ll be hard-pressed to find warnings about cybersecurity risks in connected toys and personal electronics. Therefore, the consumer may be forgiven for concluding that the problem must have been fixed. The toys under the tree this year are hardened against remote cyberattacks, right? The data they collect is locked down and encrypted.
Almost certainly no. As we approach Christmas and Hannukkah 2022, the discussion of cyber risks in smart connected playground equipment and electronics may have been put on the back burner. electronics. If anything, the risks are increasing as the Internet of Things expands its reach to more families, communities, and businesses.
Lax cybersecurity is the norm for xIoT
For example, a recent study on IoT device security by cybersecurity firm Phosphorus Labs found that 68% had high-risk or severe vulnerabilities. This is consistent with other research on IoT volatility. For example, a 2020 study by Palo Alto Networks found that 57% of IoT devices are vulnerable to medium or high severity attacks, while 98% of all IoT device traffic is unencrypted. , private and sensitive data has been exposed, allowing attackers to intercept it. It accesses unencrypted network traffic and collects personal and confidential information.
Phosphorus’ research focuses on devices and technologies used by businesses and governments (printers, voice over IP phones, physical access systems, etc.), but what Phosphorus calls xIoT is a broader range of things. Not limited to the internet. those devices. Brian Contos, his CSO at Phosphorus, said that IoT is a world where he estimates he has a population of 50 billion devices, and his traditional IT endpoints (desktops, laptops, servers) ) are declining, but growing rapidly. Security issues in xIoT are also important, as the issues facing smart business technologies such as VoIP phones, security cameras, and printers are not limited to these product categories.
Phosphorus research points to a number of factors that contribute to IoT security problems. Among them is the lack of secure development practices and experience with connected device manufacturers. Heavy reliance on shared software and components (often open source). And a business culture that values time-to-market and feature development over robust security. Last year showed that vulnerabilities in the software he supply chain are the leading source of cyber risk for organizations.
Improper management of credentials is the most obvious by-product of general lack of security. Phosphorus notes that many xIoT devices come with default passwords that users frequently forget to change, while other devices do not support complex passwords.
In short, IoT is a major blind spot that hackers can use to penetrate both home and business networks. With access, they can pivot to other assets, steal information, launch attacks, perform physical sabotage, and achieve long-term persistence, Contos said. Also, companies are notoriously bad at keeping track of his IoT devices deployed in the environment. Contos estimates that per employee he uses between 3 and 5 of his IoT devices at work, but companies regularly quantify how many of his IoT devices are deployed. Underestimated by more than 50%.
And the risks posed by fragile gifts under the Christmas tree affect your business. For employees to bring personal electronic devices into the office, he said.
Unsafe Toys: Yesterday’s News?
Recent history provides ample evidence that the security issues facing xIoT extend to smart, connected toys. For example, back in 2015, security researchers noticed vulnerabilities in apps connected to toys such as Mattel’s Hello Barbie. In 2018, Hong Kong-based VTech was sued by the United States Federal Trade Commission for violations of the Children’s Online Privacy Protection Act (COPPA) related to a 2015 cyber attack and data breach that targeted VTech’s Learning Lodge Navigator online program. agreed to pay the Commission (FTC) $650,000. , Kid Connect app, Planet VTech game and chat platform. The attack exposed the personal information of 5 million customers, more than half of whom were children.
These issues of cybersecurity and toys have received a lot of attention before, not just from federal regulators. It warned of failures such as flaws in the toy’s wireless security and authentication capabilities. The German government had warned parents to destroy her Cayla doll, a smart interactive toy the government likened to a surveillance device.
News outlets such as The Wall Street Journal and The New York Times picked up on these reports and made the issue front page. The FBI is also involved, warning consumers in 2017 that smart connected playground equipment could be equipped with sensors, cameras, and even his GPS trackers, posing cybersecurity and privacy risks. . In 2019, the FTC published a list of security and privacy-related questions that consumers should ask before purchasing an internet-connected toy.
But now that the holiday gift season is one more season away, there will be far less talk of hackable toys in 2022 than there was five or even three years ago. Indeed, the FTC took strong action against Epic Games this month for violating his COPPA and misleading players of the FortNite online game regarding online purchases, but the FTC has also taken action against consumers regarding cyber risks in connected products. didn’t have his FTC’s latest advice. And with a combination of sensor-rich hardware, mobile applications, cloud-based servers, and data storage, Connected He is different from toys and gifts. If anything, they are more common than ever. According to research by Mordor Intelligence, the connected toy market will account for $7.6 billion in sales in the US in 2020, and is expected to grow over the next five years.
Wanted: Cops in the IoT Security Beat
This kind of bad press should put pressure on device makers to improve. After all, 87% of consumers surveyed by DigiCert in his 2022 State of Digital Trust survey said they were likely to abandon their vendor after losing their digital trust to a cyber incident.
But sadly, as the small list of FTC enforcement actions for COPPA violations suggests, there are no law enforcement officers for IoT security. In the 20 years since the law was enacted, only 37 COPPA violations have been settled. Every Epic Games or VTech has hundreds, if not hundreds, of devices and device manufacturers with lax device and data security, exploitable software holes, vulnerable configurations, and patches. It escapes scrutiny for unapplied software defects.
What is needed, of course, are new rules, regulations, and standards that prioritize the security of IoT devices, including children’s toys. But so far, he has shown little interest among U.S. lawmakers in holding toy and personal electronics makers to account. The most notable public policy achievement was the Internet of Things (IoT) Cybersecurity Improvements Act of 2020, which set minimum security standards for IoT devices. Unfortunately, despite strong bipartisan support, the legislation, which took more than three years to pass, applies only to IoT devices sold to federal agencies, including computers, laptops and tablets. , which explicitly excludes most “traditional” information technology devices such as smartphones. Needless to say, Uncle Sam isn’t buying any connected toys.
Cybersecurity product labels to hit the market in 2023
Other than that, the only other IoT regulations are at the state level or outside the US, with the UK and recently the EU introducing new regulations targeting the security of Internet of Things devices.
Most recently, the Biden administration announced in October that it would introduce a cybersecurity labeling system for Internet of Things devices in 2023. Similar to the federal Energy Star label system, which informs consumers about the energy efficiency of products, the new cybersecurity label will convey important information to consumers. Consider purchasing connected products for both device cybersecurity and the software security it contains. This is part of a broader government effort to improve the security of software (and the software supply chain) used by federal agencies. For IoT devices, NIST has developed barcode label guidelines. This label is affixed to devices such as internet-connected cameras, home routers, and other “high-risk” IoT devices. The label links to information about the manufacturer’s data encryption, software updates, and vulnerability remediation practices.
This is a big improvement and could help put pressure on device makers to prioritize cybersecurity. But the new rules are part of President Biden’s 2021 Executive Order on Improving Nation’s Cybersecurity and only reflect the commander-in-chief’s wishes. Without the new legislation passed by Congress, the IoT labeling system, and all the hard work done by NIST, FTC, and others to create them, there would be a shelved, “industry-friendly” alternative It may be superseded by means or nothing at all. If the next resident of 1600 Pennsylvania Avenue so desires.
Experts agree that the risks posed by the Internet of Things are increasing. If legislators are serious about addressing that risk, passing his comprehensive IoT Security Act in 2023 will be a priority.