Cyberthieves licking chops at IoT, voice-controlled security gaps
If a consumer is going to ask a voice-controlled virtual assistant to order and pay for a pizza and maybe also lock the doors and turn off the lights in a home, that presents an appealing target for a cyberthief.
It means a device used to secure a home or interact with a security system may also have some financial or payment data available, or at least a connection to financial accounts.
Alexa, Google or Siri can't do all of those tasks alone just yet, but the Internet of Things is definitely heading that way — and securing these types of modern-day conveniences is getting a lot more attention.
Payments providers have been watching IoT developments closely for some time, knowing full well that any future machine-to-machine environment calling for communication and transactions will surely include a consumer's option to make payments through such a network.
That turns any home or business into its own complex network of devices, routers, sensors, passwords, communication coding and private credentials.
"The utilization of voice devices from Google and Amazon come with a lot of security protocols, as we work with both of them — and their teams take security very seriously," said Jeff Gardner, president and CEO of Brinks Home Security. "But more and more of our customers are asking for the ability of a voice-controlled device to do far more things in the home, like locking doors and turning off lights."
It's an additional risk because so many new devices operate in an IoT environment or interact with other technology in the home, Gardner said Tuesday during the annual IoT Summit.
The technology isn't foolproof and can fall victim to unintended consequences. Much of the new technology still relies on user diligence in creating complex passwords and monitoring equipment and accounts to spot problems.
"I saw it happen in my own home that an Alexa commercial came on TV and when it said 'Alexa,' my device responded and asked what it could help me with," said Mike Mackey, chief technology officer of Centri Technology. "If the device responds to just any voice on TV, that is obviously a security threat."
Though hackers are normally seeking personal or payment data it can monetize, they are not going to skip out on the opportunity to get into a home or business network, possibly infiltrate a voice-controlled device and simply ask it to unlock all of the doors at a residence or business.
In effect, the current generation of voice-controlled devices does not present a case of an authorized versus an unauthorized user. If you can communicate to it through sound, you can affect its action.
"If you can get audio to the device, it's a real potential attack scenario," said John Sheehy, vice president of sales, strategy and strategic services for IoActive. "I can tell you that nation states today are going after well-defended home security systems and other components in the home because they want to establish an existence in that environment."
It sets up cybercriminals for what is called an "advanced persistent threat" in which they probe gaps in networks and lie in wait to obtain important credentials, transaction data or any other useful information regarding the consumer's habits, Sheehy added.
Part of the problem with IoT security is that newer technology is often put into networks with older devices within a home or business.
A consumer buying a new smartwatch and using it for payments or to communicate with other devices in a home may have opted for a cheaper model that doesn't have the security offered by more expensive ones, Centri's Mackey said. Or it may interact with a Bluetooth device or other less secure devices when moving data to a gateway.
"Cybersecurity is an ongoing model," Mackey said. "Manufacturers have devices that previously weren't 'smart,' but they are connected to smart devices. When you look at the cyberattacks, they are always changing, and the security model has to evolve with it."
Most people don't consider what type of security is installed in all of their home or business devices.
"You are not going to find a person asking if the sensors they have from five years ago are encrypted," Brinks' Gardner said. "When we work with these people, we want to make sure all of their vendors and providers have encrypted or updated their products."
An unencrypted system is often chosen because it is less expensive, but even those who buy the more secure encrypted systems are often matching up those new products with older technology, thus unwittingly creating security concerns, Gardner added.
A security company can spend a lot of time with a customer or business owner explaining IoT devices and how they interact and connect, and where security vulnerabilities may exist. But a common, and fairly easy to resolve, problem still exists.
"The customer has to be very involved in this process; it's not all on us," Gardner said. "They still have to do the hard work of making sure their passwords are updated and they are taking security very seriously."