Effecting positive change in the Internet of Things
Way back when…
We started our journey back in the day when the IoT was in its infancy. Our first published research was in June 2015 with a post about extracting the Wi-Fi PSK from Fitbit’s Aria weighing scales. This led to a challenging disclosure process with Fitbit, though it ended positively and constructively, with Fitbit supporting our efforts to educate and improve cyber security. This included us delivering workshops and briefings at the world-famous DEFCON and BlackHat hacking conferences.
Seven years on and the security challenges that IoT device manufacturers, IoT platform providers and API coders fail to handle have not gone away. The growth in the market for smart ‘things’ and the persistence of poor practice has amplified the problems. Our ever increasing catalogue of IoT security research (160+ posts and counting) is anecdotal evidence of this. That’s not to say that some responsible manufacturers haven’t listened. There are many great examples of secure smart devices but it’s not ubiquitous.
Headlines
Along the way, we discovered a number of high profile vulnerabilities that made international media headlines. These included the fact that many Samsung smart TVs were listening to the viewer and sending text of conversations to the US for decoding in to text, but unencrypted. We discovered smart refrigerators that leaked the owners email credentials to passers-by. We demonstrated the first ever proof of concept ransomware on an embedded device (a smart thermostat) and many other world-leading pieces of research.
Independent research
We spend a lot of time carrying out independent research, compromising devices, then convincing vendors to fix the issues. Seeing these problems fixed is good for us, and good for consumers, but it doesn’t always address the root causes at the vendors involved. These stem from:
- A lack of security understanding
- A lack of sufficient care for users
- Not factoring security in to their product roadmaps
- A lack of comprehensive legislation to prevent bad vendors bringing products to market
- Discrepancies in regulation across different regions
- A lack of active enforcement of the regulations that do exist
Our flagship piece of…