A friend recently posted some concerns about how flaws in TVs and other smart devices could be used to spy on us. I responded with some of my observations and thought it made sense to expand on it for a full blog post. While this is an issue that the security industry has been warning about for years now,  there has been little action on the part of the consumer-electronics industry, which is rapidly becoming the #1 source of computers (AKA “The Internet of Things”).
The Stupidity of “Smart” Devices
There are several problems with most of the new “smart” devices. First of all, there is no security engineering put into any of these products (even “security” ones, like home router/firewalls), so architectural flaws that should have been caught early on make it into the device (don’t get me started on WPS). They are also often based on open-source platforms, which isn’t a problem in itself, but those platforms have security flaws discovered all the time and are rarely — if ever — updated on the devices. Since these devices have no ongoing update process (when was the last time you updated the firmware on your TV?), there is no way to ensure that these devices don’t have open, well-known, vulnerabilities.
When you buy a computer or iOS device (sadly, Android is a different story — more on that later), you have some guarantee that there will be some period of updates available and it often happens in the background, automatically. This doesn’t happen with consumer devices — especially ones that get refreshed every year, like TVs and Audio Receivers, and they’re becoming more and more ‘connected’ every day. Even home routers are not immune to this process (which people have started to notice). You’re lucky if they ever get around to releasing an update fixing core functionality issues, as all development work typically stops when they start ramping up production on next year’s model.
Problems with Home Routers
As I mentioned earlier, people are starting to notice this problem with home routers. A new worm (“TheMoon“) made news by attacking flawed Linksys E-Series routers that no longer receive updates. This was right after another vulnerability in Asus routers made news from people finding notes on the attached hard drives. These were both relatively benign, but they could just as easily have been malicious, as the attackers gained full control of the devices. According to research by Tripwire, 80% of home routers have security vulnerabilities. They went on to show that most people (even IT professionals) don’t change default settings that open the devices up to more potential vulnerabilities (many don’t even change the default password!)
Unfortunately, there will probably be little to no support for changing this situation in the near future. OEMs have no incentive to update devices once they’ve been released and consumers don’t demand updates. Even after all the news about breaches, stolen credit cards, and identity theft, it’s still difficult to get users interested in security, period.
Android’s Update Problem
Interestingly enough, this is one of the primary reasons that Android has ~20% market share in Corporate environments for phones and <10% for tablets, while over 70% of the consumer phone market (the #1 reason is still that >90% of mobile malware is on Android). This is something I have personal experience with, as I write mobile device security standards (among other things) for a Fortune 200 company. Enterprise users care about ongoing support and security updates in ways that most consumers don’t. As a result, I expect to see some changes on that front as Android OEMs try to be more appealing to Enterprise clients. Just in the past week, HTC announced that they will be supporting their flagship Android devices with updates for 2 years, but this seems to target those wanting new features, not necessarily to support security updates.
It certainly looks bleak at the moment (“it’s always darkest before the dawn — or before it all goes black”), but there are still ways that this can be solved. However, this is already a long enough post and the solutions are not simple, so I’ll be writing a follow-up with some ideas on how to solve this.