Blog: Internet Of Things
Effecting positive change in the Internet of Things
Way back when…
We started our journey back in the day when the IoT was in its infancy. Our first published research was in June 2015 with a post about extracting the Wi-Fi PSK from Fitbit’s Aria weighing scales. This led to a challenging disclosure process with Fitbit, though it ended positively and constructively, with Fitbit supporting our efforts to educate and improve cyber security. This included us delivering workshops and briefings at the world-famous DEFCON and BlackHat hacking conferences.
Seven years on and the security challenges that IoT device manufacturers, IoT platform providers and API coders fail to handle have not gone away. The growth in the market for smart ‘things’ and the persistence of poor practice has amplified the problems. Our ever increasing catalogue of IoT security research (160+ posts and counting) is anecdotal evidence of this. That’s not to say that some responsible manufacturers haven’t listened. There are many great examples of secure smart devices but it’s not ubiquitous.
Headlines
Along the way, we discovered a number of high profile vulnerabilities that made international media headlines. These included the fact that many Samsung smart TVs were listening to the viewer and sending text of conversations to the US for decoding in to text, but unencrypted. We discovered smart refrigerators that leaked the owners email credentials to passers-by. We demonstrated the first ever proof of concept ransomware on an embedded device (a smart thermostat) and many other world-leading pieces of research.
Independent research
We spend a lot of time carrying out independent research, compromising devices, then convincing vendors to fix the issues. Seeing these problems fixed is good for us, and good for consumers, but it doesn’t always address the root causes at the vendors involved. These stem from:
- A lack of security understanding
- A lack of sufficient care for users
- Not factoring security in to their product roadmaps
- A lack of comprehensive legislation to prevent bad vendors bringing products to market
- Discrepancies in regulation across different regions
- A lack of active enforcement of the regulations that do exist
Our flagship piece of research was back in January 2015 where we hacked a smart children’s doll to modify its vocabulary and show it could be used as a surveillance device to spy on children. It made cyber security far more ‘real’ to the average consumer.
Collaboration = results
We’ve collaborated with consumer protection lawyers to help ban vulnerable smart products. We’ve also worked with consumer advocacy groups to highlight the poor state of smart consumer device security. These include BEUC, Consumer Reports, Consumers International and many others. We are constant advocates for positive change in the space:
Our work has led directly to vulnerable products being taken off the shelves e.g:
- https://www.pentestpartners.com/security-blog/myfriendcayla-banned-are-all-listening-bluetooth-devices-set-for-the-bin/
- https://www.pentestpartners.com/security-blog/in-the-news-story/germany-bans-childrens-smartwatches/
- https://www.bbc.co.uk/news/world-europe-39002142
Lobbying = results
We have lobbied hard over many years for improvements too. This has included briefing governments across the world:
- The EU Parliament:
https://www.pentestpartners.com/security-blog/ptp-and-microsoft-to-brief-eu-parliament/
- Norwegian Consumer Council invited us to brief Norwegian government ministers:
https://www.pentestpartners.com/security-blog/ptp-iot-and-the-norwegian-government/
- ENISA The European Union Agency for Cybersecurity, and the EU Cybersecurity Act
https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-act
https://www.pentestpartners.com/event/2nd-europol-enisa-iot-security-conference/
https://www.pentestpartners.com/event/enisa-4th-iot-security-conference/
- In the US we have briefed US Chamber of Commerce member organisations and the FTC
- We also assisted with the UK DCMS Product Security & Telecommunications Bill which covers IoT, now at its 3rd reading: https://bills.parliament.uk/bills/3069
- The Atlantic Council and the World Economic Forum also invited us to brief their members about IoT security.
Research = results
Over the years we have contributed research and support to many organisations influencing security of smart devices. These include the IoT Security Foundation, whose work and efforts helped lead to ETSI 303 645, a great standard for IoT security:
- https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.00_30/en_303645v020100v.pdf
- https://www.iotsecurityfoundation.org/
We’ve also publicly called out where we believe that legislation has been unreasonably watered down:
- https://www.bbc.co.uk/news/technology-43305346
- https://www.pentestpartners.com/security-blog/security-by-design-uk-govs-first-stab-at-iot-consumer-protection-isnt-good-enough/
- https://www.pentestpartners.com/security-blog/objections-to-iot-regulation-a-rational-reply/
Research = Big results
Perhaps the highest profile piece of legislation we influenced is California Senate Bill 327. The security issues with My Friend Cayla, the vulnerable talking kid’s doll, were cited as one of the catalysts for the bill, regulating that IoT products sold to California residents were suitably secure
- https://casetext.com/analysis/internet-of-things-legislation-in-california-is-dead-for-this-year-but-it-will-be-back
- https://www.helpnetsecurity.com/2018/10/05/iot-legislation-bans-shared-default-passwords/
And finally we’ve given two TEDx talks about IoT security. The second was the 10th most watched TED talk in the world in April 2022:
- https://www.ted.com/talks/ken_munro_internet_of_things_security
- https://www.ted.com/talks/ken_munro_we_need_to_talk_about_cyber_security
IoT cyber security is our passion. We will continue working tirelessly to expose poor practice, to help organisations get better at ‘cyber’ and help protect consumers.
