News that security researchers discovered several vulnerabilities in the Osram Lightify range of internet-connected light bulbs should serve as a warning to those manufacturers and suppliers that offer IoT devices according to two industry experts recently as, if exploited, the vulnerabilities could give attackers access to a home wi-fi network and potentially operate the lights without permission.
Commenting on the news Cesare Garlati, chief security strategist, prpl Foundation said: “The security of the Internet of Things is fundamentally broken. Developers and manufacturers understandably are eager to get their new hi-tech devices to market and unfortunately often overlook security, operating under the misapprehension that security-by-obscurity in their proprietary systems will do. Though it may not seem like a big deal if a single light bulb is breached in the home – what if a hacker could control every single one of those light bulbs in a specific geographic region and create a power surge which could cause a rolling black out?”
Also commenting on the story Reiner Kappenberger, Global Product Manager, HPE Security – Data Security said: “The IoT space has become a hot market where companies need to enter quickly with functionality to be considered leading the space. However with that approach where functionality is the leading indicator comes the risk that security measurements are pushed to the back of the development cycle and frequently then dropped in order to release a product. While some of these are easy to fix the problem can lead to new entrants into the market running out of business due to security not taking an equal position to features during development.
“The current lack of guidance and regulations for IoT device security is one of the bigger problems in this area and why we see breaches in the IoT space rising,” continued Reiner. “Companies rush product to market that have been developed by teams that are solely focusing on functionality. They use protocols and tools that have not been thoroughly vetted from a security standpoint as the small amount of storage in those devices poses limitations to the software elements they can use. Companies entering this space need to think about longer term impact of their devices. Typically computers have a lifespan of a few years. However IoT devices may be around for 10+ years before being replaced – especially in home networks. Companies working in this market need to consider this fact as over the years we have seen a constant flood of vulnerabilities in the tools being used and those systems need to be updated to patch those security flaws. This is a problem not only for the light bulbs here but a broader problem that manifests itself on many IoT devices.
“Consumers that venture into the IoT space should identify the security measurements that have been taken to secure the device and ask about the long term support for the product. A breach in the IoT device can easily move to other systems – i.e. the home computer – and attackers would then be able to steal valuable personal information such as Bank account information and credentials as they are now behind any firewall that the user might have and the whole home network usually is unprotected in home environments. People still take home network security to lightly and should take broader measures to secure themselves.
“For those manufacturing devices they should consider approaches like a data centric security approach that helps prevent data leakage and taking over control – such as replaying communications as was the situation with the light bulbs – in order to protect their customers properly,” he concludes.