If It Ain't Broke, Then Why?

Do you still have that old wireless router that gets the internet flow to the various devices in your home? It does its job in good faith, probably sitting camouflaged in some place where it can offer a good signal to all areas of the house. Typically, it sees the light of the day when it needs a reboot or the occasional resetting followed by reconfiguration.

It’s ok, you can admit it. Many people follow the same “set it and forget it” principle, and not just with routers, but with other connected electronics, too. Smart TVs, WiFi-enabled thermostats, surveillance systems (wireless cameras, recorders), network-attached storage (NAS) systems, smart power outlets and printers are likely candidates. As long as the device works, few users tinker with it, oblivious to security issues that emerge over time.

The Reaper botnet is only the latest example of how cybercriminals hijack vulnerable IoT gadgets for various purposes. A vulnerability in a network services software disclosed a month ago could impact over 1 million smart devices reachable over the web. Another flaw could have allowed a hacker to control all the LG SmartThinQ connected products in a home, had the company not mitigated it.

Security researchers find IoT-related bugs more often than we’d like, but media outlets report mostly those with higher impact, either real or potential. If the product has not reached the end of support life, the manufacturer usually releases a firmware update to address the problem. But don’t count on the new version to install itself. In lack of an automatic delivery mechanism, you have to run it manually, a task most users rarely undertake.

Sometimes, errors may occur when applying the new firmware and the device remains unpatched. Even when updates arrive and install automatically, users have to start the process themselves, as is the case of smart home hubs from Fibaro and many other products. Also, something could work incorrectly in the product and impact the update functionality. Only some users would go to the trouble of tracing the source of the problem and finding a fix.

These issues could occur in products supported by the maker, but there are plenty of gadgets whose support has ended, which means they no longer receive software updates. The worrying part is that many users may not be aware of this and rely on a vulnerable device that could fall under unauthorized control, more so if it can be accessed remotely. Setting up additional defences helps shrink the attack surface and the chance that a hacker can get to other parts of the home network.

The ecosystem of the Internet of Things is more than the convenience to interact with connected devices remotely. It is also about your commitment and the manufacturers’ to keep your world safe from cyberattacks. Security risks occur when the maker fails to deliver a firmware update in a timely manner just as much as when you fail to apply it or to reduce your dependence on, or replace, obsolete products.

Image credits: Geralt / Pixabay