SINGAPORE/TAIPEI (Reuters) – Recent cyber attacks harnessing everyday devices such as cameras, video recorders, printers, routers and speakers are a wake-up call to the hidden security risks of the Internet of Things.
The problem for the device makers, though, is that few are well equipped to tackle the unfamiliar task of foiling hackers.
For a sense of that challenge, take AV Tech Corp, a once proud giant among CCTV camera makers whose 1990s building in a Taipei suburb hints at the gap it must overcome between hardware factories of a decade ago and those of today.
AV Tech, which made the 2008 Forbes list of companies to watch, has seen competition from China shrink its profits to about a tenth of what they were then. Like its peers, AV Tech has moved its products online, connecting its cameras and the digital video recorders that store the footage on to the Internet so users can access them remotely.
But such companies are not well schooled in cybersecurity, leaving these devices wide open to hackers.
“The harsh reality is that cybersecurity is not even on the radar of many manufacturers,” said Trent Telford, CEO of Covata, an internet security firm. “Security will eventually become more of a priority, but it may well be too late for this generation of IoT users.”
Up to 30 billion devices are expected to be connected to the Internet by 2020 – all potentially vulnerable.
The danger was highlighted when hundreds of thousands of consumer devices were harnessed recently into so-called botnets, launching attacks on target websites, including PayPal, Spotify and Twitter.
Cyber security experts say this is just the beginning.
They have since found new versions of the malware designed to find and infect poorly secured devices. Botnets could also be used in advertising fraud and blackmail, according to Daniel Miessler of IOActive, an internet security consultancy.
Flashpoint, a cyber security consultancy, said parts of the botnet used in last month’s mass attack were used this week to launch denial of service attacks on the campaign websites of both U.S. presidential candidates, though neither site appeared to have been knocked offline.
While researchers have not found any AV Tech devices in a botnet, they have pointed to lapses that make them vulnerable.
In a blog post, confirmed by his company, Gergely Eberhardt of Hungarian security firm Search-Lab said he spent a year trying to alert AV Tech to 14 security holes in its products. He got no response, and last month released his findings.
That, and news of other botnet distributed denial of services attacks, was a wake-up call for the Taiwanese firm.
“To be honest, in the past, hacking and discovering such matters was not an issue for AV Tech,” said Dick Lee, special assistant in the company president’s office. “This experience has significantly raised our alert level internally. This is something that those in the surveillance equipment business must face seriously.”
That’s happening, but slowly – and sometimes reluctantly.
Chinese camera maker Hangzhou Xiongmai Technology recalled thousands of its devices after researchers said they may have formed part of the botnet that took down Twitter and other websites, but it also threatened legal action against those defaming the company.
Chipmaker Qualcomm said it was looking into new technologies, including those based on machine intelligence, to make IoT devices safer.
“We can build into the hardware certain fundamental things that will watch to see: is the device doing something it wasn’t expected to do? Is it talking to somewhere it wasn’t expected to talk to? Is it accessing memory differently?” executive chairman Paul Jacobs told Reuters on the sidelines of an event in Taipei on Monday. “It’s very important for IoT to make sure you have a way of securing and updating devices.”
AV Tech said it was talking to Search-Lab and other security firms about long-term cooperation, and also plans to release updated firmware – software that upgrades the inner workings of its devices to make them more secure.
It’s not just the more established consumer electronics firms which are battling this.
Lani Refiti, cyber security lead for Cisco Systems, said he has been working with Australian hardware start-ups to make their devices more secure.
One firm making sensors to allow treadmill users to share their workouts, he said, faced a three-month delay if it rewrote software to properly encrypt data. The cheaper solution was to obscure the data, and make any hacker work harder to crack it.
A handful of industry groups are emerging to focus exclusively on security.
Refiti set up IoTSec Australia this year to work with entrepreneurs, while UK-based IoT Security Foundation has chipmaker ARM, Huawei and Philips among its members.
Its main goal, says founder John Moor, is to simplify guidance so engineers actually read it. The foundation is releasing its first best-practice manual, condensing a 300-400 page industry document to just 30 pages.
“The challenge is more than the technical challenge” for these companies, said Moor. “You can put in security features, but do you have the right processes in place, are you doing the right things?”
For AV Tech, improved security may prove to be a way to differentiate its products from Chinese competition.
“This is a good opportunity. For these surveillance products, the demand on their security is the most important,” said Lee, adding the inevitable higher cost “is not expected to be huge.”
(Reporting by Jeremy Wagstaff and J.R. Wu, with additional reporting by Sijia Jiang in HONG KONG; Editing by Ian Geoghegan)