Plug-and-play convenience in smart devices might just rob you blind

Inherent IoT insecurity and customer convenience are two sides of the same coin. Vendors fail to implement proper safeguards (sometimes omitting them intentionally for the sake of convenience), and customers might switch to a competitor if they don’t get plug-and-play functionality.

Neither party places nearly enough thought or effort into safeguarding the product from hackers. This widely known phenomenon is the raison d’etre of Bitdefender BOX.

Now, researchers at UC Berkeley School of Information have calculated the actual costs of hacks on IoT devices. Their research paper comes with a dynamic calculator that includes three attack scenarios with variables that users can adjust to determine the costs of an attack.

The attack on security heavyweight Brian Krebs’ website in 2016, for example, cost the owners of the IoT devices involved in the botnet an estimated $320,000. That may not sound like much per household (Krebs himself estimates it at $13.50 per device, and some users may not have incurred any costs depending on their Internet subscription), but these costs will only grow as the proliferation of IoT devices accelerates and security remains a distant priority, from the manufacturer to the end user.

Authors Kim Fong, Kurt Hepler, Rohit Raghavan and Peter Rowland put forth the following theory behind the “in-security” of the Internet of Things. According to the research quartet, IoT security suffers from misaligned incentives. And it seems everyone shares the blame, including you, the consumer:

“On the manufacturer side, many devices run lightweight Linux-based operating systems that open doors for hackers. Some consumer IoT devices implement minimal security. For example, device manufacturers may use default username and password credentials to access the device. Such design decisions simplify device setup and troubleshooting, but they also leave the device open to exploitation by hackers with access to the publicly-available or guessable credentials.”

“Consumers who expect IoT devices to act like user-friendly ‘plug-and-play’ conveniences may have sufficient intuition to use the device but insufficient technical knowledge to protect or update it. Externalities may arise out of information asymmetries caused by hidden information or misaligned incentives. Hidden information occurs when consumers cannot discern product characteristics and, thus, are unable to purchase products that reflect their preferences. When consumers are unable to observe the security qualities of software, they instead purchase products based solely on price, and the overall quality of software in the market suffers.”

Regulations like GDPR and other directives seek to solve part one of the problem by compelling vendors to secure their products and services “by design and by default,” meaning manufacturers will soon be held accountable for rolling out a device or service that later proves inherently insecure.

Part two of the problem may suggest it’s the customer’s responsibility to understand the intricacies of the IoT world and the risks involves when switching on an Internet-connected, always-on device. However, the truth is people buy these products based on claims made by the manufacturer or seller. In trusting the party that sells the product perhaps lies the customer’s one and only fault. And let’s face it, people’s understanding of technology varies, while some products are more complex than others.

Bitdefender BOX aims to solve this problem by taking the burden off the customer’s shoulders. BOX lets users enjoy their IoT devices without having to take a class in IT security, resting assured that the entire smart home is under the umbrella of a central security hub.