Week 3

Internet of Thing devices have become almost ubiquitous in the last few years since they began taking off. Things like smart speakers with microphones built in that can listen for vocal commands to update you on the weather, set timers and alarms, or even integrate with other smart home IoT devices to perform actions like turning lights on and off, closing window blinds and even controlling HVAC systems.

These devices function to make life easier for the occupants of homes with them installed, but one of the seldom discussed challenges that come along with these devices are the vulnerabilities they introduce.

Of course, one of the higher vulnerabilities we talked about in the class comes from these devices not implementing security patches for known/discovered vulnerabilities, but one additional security concern they introduce is being constantly connected to the internet, rather than just a LAN. Since many of these devices advertise being able to control them from anywhere using your mobile device, they often make use of their own proprietary cloud services to accomplish that goal. Because these devices are connected to a cloud service, you’re losing a lot of the control and security you’d gain if it was only locally connected.

This opens the door not only to attackers which may be able to compromise one of the numerous smart home providers out there to gain access to your system/network, but also allows the smart home company full access to your data.

While the latter may not seem like that big of a deal for something like a smart light switch or coffee maker, security cameras and sensors are also IoT devices and their video/sensor data can be accessed from the cloud as well. This not only gives the company a direct feed into your house (if they wanted), any attackers who made their way in could also view this information. This data can then be used to determine when you aren’t home to do other nefarious activities.

There have even been reports of law enforcement contacting these camera companies for video evidence of crimes committed nearby (without a warrant of any kind) and the camera companies handing it over, no questions asked. To make matters worse, (at least for the event I’m referencing) they didn’t discriminate which video footage may be related to the crime and sent over footage from inside an unassuming neighbor’s house.

While the allure of automating and making everything smart is strong, these devices can often introduce vulnerabilities into a system, and it is worth it to do a little research on your device purchase before-hand to consider ones that are local only.

Comments

Post a Comment

Popular posts from this blog

Week 5

One of the more important aspects of software development is security testing, and specifically security regression testing. The first round of security testing is designed to run your program through a list of known vulnerabilities and other security assessments to determine if it is ready for prime-time use. If any bugs or, more concerningly, vulnerabilities are found in the code, it is your responsibility to patch it. However, even after patching out the found vulnerabilities, these patches can sometimes introduce other vulnerabilities themselves. This is the importance of security regression testing, to ensure code you have has not ‘regressed’ to a point less secure than before you started. I have taken a few coding classes when I first started college and I thought I was going for a Computer Science degree, and if there was one common theme I noticed, it was fixing a bug often made others appear. This I guess is an almost universal experience when coding, and there have b...
Read more

Week 8

This week we learned about automation concepts and technologies. One particular section I found interest in was the part on the REST API which is an API that can be built into a website that, like APIs in general, allow other websites or apps to integrate with it. The reading then goes on to talk about how the response codes that web browsers send are structured and that’s something I’ve never through about before. Codes starting with 1xx suggest its an informational message, 2xx mean success, 3xx mean a client redirection, 4xx means a client error, and 5xx means a server error. I’ve been using the internet for pretty much as long as I can remember, and have been met with more 404 and 503 errors than I can count, but am just now learning that they indicate client and server errors. One thing I don’t quite understand is how a 404 error can be considered a client error if the resource was not found on the server side. Perhaps the client is asking for a resource that doesn’t exist? ...
Read more