If we must have an IoT bog roll holder, can we at least make it secure?

It's the internet of sh*tty things, says Intel Security's Raj Samani

MWC Greater accountability is needed in the rush to connect absolutely everything to the net – including toilet roll holders and pregnancy tests – Europol's CyberCrime Centre advisor and Intel Security CTO Raj Samani has said.

"It is an internet of vulnerable things," he told The Register at Mobile World Congress in Barcelona. "Go and ask anyone on the show floor: what data are you collecting? What are you doing to safeguard information and secure the device? And you will get blank stares. No one is thinking about what you are doing to secure the gadget."

A major issue is that poor security practices already exist on things like mobile apps – an approach that could cause profound problems with the proliferation of connected devices, he said.

Research published by Intel Security this week found 4,000 apps that were removed from Google Play without notification.

More than 500,000 devices still have these apps installed and are active, leaving users exposed to any vulnerabilities, privacy risks, or malware contained in these dead apps.

One recent example is a password-stealing app, distributed on Google Play as a Trojanized version of Instagram.

Samani said he has seen a recent number of bizarre IoT devices such as a proof of concept for a pregnancy test that tweets the results, and a connected toilet paper holder that lets the user know when they are running low on bog roll.

He said that before more products arrive on the market, measures should be put in place to hold companies to account, adding that it is concerning that companies already absolve themselves of responsibility for data loss in their terms and conditions.

"Let the market decide. If you want an internet-connected toiled holder, fine. Although I might not use your bathroom. But there has to be some degree of due diligence."

Samani said it was not a case of industry fear-mongering because others have also demonstrated severe existing vulnerabilities – such as the recent confirmation that implantable cardiac devices have hackable flaws.

He added: "I have a couple of kids, and I genuinely worry about what privacy will mean for them in the future, unless we put security into these devices. Because every move they make, it's going to be tracked, it's going to be locked, it's going to go somewhere in the cloud and used by who knows. So we've go to start banging the drum now."

He said the industry needed to change its language to make the risks more real for non-techies. "So we're talking about not being able to get a mortgage because your credit rating has been damaged, or your kids not getting job they wanted because someone guessed the name of their password and started tweeting racist stuff."

Last year the Mirai IoT botnet, comprised largely of internet-enabled digital video recorders and surveillance cameras, was used to devastating effect in October, taking out DNS provider Dyn and leaving scores of high-profile websites unreachable as a result.

The Intel Security report noted: "We have been watching IoT attacks for several years and over the past year have seen the infection rates grow by roughly 20 per cent every quarter. The success of the Mirai attack has not only encouraged others, but also made the code readily available to reuse and learn from."

It recommended that developers, app store curators, device manufacturers, and security vendors should work closely together, transparently share threat intelligence, and rapidly address security vulnerabilities "to keep this marketplace healthy". ®

Broader topics

Other stories you might like

  • Intel withholds Ohio fab ceremony over US chip subsidies inaction
    $20b factory construction start date unchanged – but the x86 giant is not happy

    Intel has found a new way to voice its displeasure over Congress' inability to pass $52 billion in subsidies to expand US semiconductor manufacturing: withholding a planned groundbreaking ceremony for its $20 billion fab mega-site in Ohio that stands to benefit from the federal funding.

    The Wall Street Journal reported that Intel was tentatively scheduled to hold a groundbreaking ceremony for the Ohio manufacturing site with state and federal bigwigs on July 22. But, in an email seen by the newspaper, the x86 giant told officials Wednesday it was indefinitely delaying the festivities "due in part to uncertainty around" the stalled Creating Helpful Incentives to Produce Semiconductors (CHIPS) for America Act.

    That proposed law authorizes the aforementioned subsidies for Intel and others, and so its delay is holding back funding for the chipmakers.

    Continue reading
  • Intel demands $625m in interest from Europe on overturned antitrust fine
    Chip giant still salty

    Having successfully appealed Europe's €1.06bn ($1.2bn) antitrust fine, Intel now wants €593m ($623.5m) in interest charges.

    In January, after years of contesting the fine, the x86 chip giant finally overturned the penalty, and was told it didn't have to pay up after all. The US tech titan isn't stopping there, however, and now says it is effectively seeking damages for being screwed around by Brussels.

    According to official documents [PDF] published on Monday, Intel has gone to the EU General Court for “payment of compensation and consequential interest for the damage sustained because of the European Commissions refusal to pay Intel default interest."

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Intel delivers first discrete Arc desktop GPUs ... in China
    Why not just ship it in Narnia and call it a win?

    Updated Intel has said its first discrete Arc desktop GPUs will, as planned, go on sale this month. But only in China.

    The x86 giant's foray into discrete graphics processors has been difficult. Intel has baked 2D and 3D acceleration into its chipsets for years but watched as AMD and Nvidia swept the market with more powerful discrete GPU cards.

    Intel announced it would offer discrete GPUs of its own in 2018 and promised shipments would start in 2020. But it was not until 2021 that Intel launched the Arc brand for its GPU efforts and promised discrete graphics silicon for desktops and laptops would appear in Q1 2022.

    Continue reading

Biting the hand that feeds IT © 1998–2022