Expensive IoT Devices Are Not Immune to Vulnerabilities

Choosing a pricey connected device over a cheaper does not guarantee it is immune to hacking or free of vulnerabilities. Most often, the price difference is due to the quality and performance of the physical parts. It’s the maker’s security posture that stands as a promise to do away with weaknesses in a timely manner and provide customers with a revised version of the firmware code.

Most IoT devices are riddled with security vulnerabilities that make them an easy target for criminals. Companies that understand this risk to consumers and the impact on their business make defenses against unauthorized access an objective from the design stage all through the final step of development. Resources allocated specifically for this purpose are usually reflected in the price of the product.

These precautions do not ensure error-free code, but they do make it harder to find a hole and compromise the device. And when the word is out on a defect, security-conscious companies can act quicker to repair it.

In March, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an advisory about a swath of critical vulnerabilities in a couple of high-end IP cameras from Geutebrück. The two products affected (G-Cam/EFD-2250 and Topline TopFD-2125) out of support life, but still available for purchase from the vendor.

Geutebrück is a German manufacturer and developer of high-quality, intelligent video security solutions. The severity ratings for the six glitches reported for their two products range from 8.3 to 9.8, out of a maximum of 10; all of them were zero-days – previously unknown vulnerabilities, and ICS-CERT warned that they could all be exploited remotely by an attacker with little skill.

Despite being in the security industry and making expensive products, Geutebrück could not shield its cameras from vulnerabilities. The company did not fall back on protecting its customers and fixing the problems, even for end-of-life devices. New firmware versions were released and customers were invited to download the fresh code.

When Google and Amazon learned that the BluBorne vulnerability, affected their Home and Echo digital assistants, they acted promptly and delivered fixes automatically, without user intervention. Just like Geutebrück, they are highly invested in securing their products and received the bug details before they became public.

On the other hand, hooking a cheaper IoT device to your home network is not necessarily certain to lure hackers. But there is a good chance that the low price tag is a result of cutting on quality assurance, which is always a poor sign on the security front.

One way to verify the security posture of the vendor is to check if its products support updates and how difficult it is to apply them. Typically, a maker that cares about security tries to make the updating process as simple as possible for the user.

History has shown that all code has security bugs that are uncovered sooner or later. Responsibility for fixing the flaws falls on the code maintainer, which, in the universe of IoT, sometimes is the vendor of the product; and this duty should extend for the entire support life of the device.

Image credit: stevepb

Add Comment

Your email address will not be published. Required fields are marked *