Computing equipment is not only many thousands of times faster than it was 50 years ago, but also has millions of times more storage crammed into less than one millionth of the space, at a tiny fraction of the cost.
As a result, consumer devices including video cameras, baby monitors, home thermostats, doorbells, voice assistants and even wirelessly programmable color-changing light bulbs have become cheap, internet-connectable computers in their own right.
These devices are collectively known by the innocent-sounding buzzphrase Internet of Things, or IoT for short, even though they may be capable of gathering and uploading intimate personal data automatically and autonomously.
Indeed, some of them could just as reasonably be referred to as IoS products, short for Internet of Surveillance.
Ironically, perhaps, IoT devices surged in popularity in the cost-conscious consumer marketplace at about the same time that computer security become a globally serious issue for the makers of mainstream operating systems and browsers.
Cybercrime in the form of malware that deliberately damaged data and disrupted online business was already a huge problem in the 1990s and the early 2000s, thanks to computer viruses such as Melissa and the notorious Love Bug spreading globally by email, and to computer worms such as Code Red and SQL Slammer replicating invisibly across the internet from PC to PC.
Back then, many operating systems, notably including Microsoft Windows, had few of the programmatic defences against remote exploitation that are considered essential today, such as:
From about 2001 onwards, cybercriminals and their malicious code moved away from cyber-vandalism and digital boasting, and deliberately began to find ways to make money illegally.
Malware writers started to focus on software-based cybercrime tools such such as banking Trojans that aimed to steal money from online bank accounts, and keyloggers that recorded passwords as they were typed in.
Email spammers learned to craft phishing emails that actively suckered people into money-making scams, and lured them onto bogus websites complete with fake login forms.
Cybercriminals went out of their way to turn software vulnerabilities into exploitable security holes that would make their malware and phishing attacks easier to launch, and harder to stop.
By the mid-2000s, DEP, ASLR and other proactive cybersecurity measures had made their way into all mainstream operating systems, and were steadily, if slowly, adopted and enabled by default, rather than offered as optional security add-ons.
Programming teams committed themselves to “secure by design” and to a “security development lifecycle,” with the aim of hardening everything from the operating systems themselves, through the browsers we used, to the websites we visited.
Mobile phones from Apple and Google followed suit during the 2010s, building in additional layers of security even more restrictive than we’d typically tolerate on our laptops, such as running every app as if it were a separate user in order to limit the amount of damage or snooping that a malicious app could do.
Despite all these changes, however, exploitable vulnerabilities and malware infections remain a clear and present danger.
We’re reminded of this every time major vendors push out security patches, which happens at least once month for Microsoft (on the second Tuesday of every calendar month, dubbed Patch Tuesday); every fourth Tuesday for Mozilla; and at the start of each month for Google Android.
Apple doesn’t follow a pre-determined schedule like the others, but typically delivers major security fixes for its phones and laptops every four to eight weeks.
But even with all the proactive protections mentioned above, bugs known as zero-days, which are security holes that cybercriminals figure out and actively exploit before any patches are available, still make the news numerous times a year, showing up in popular operating systems, browsers, apps and online services.
Simply put, we’re still troubled by critical cybersecurity bugs even though the world’s biggest, richest, and most experienced software vendors now invest huge amounts of time and effort to avoid the sort of easily-exploited security mistakes that were common in the 1990s.
So, stop for a moment and ask yourself, “In the budget-conscious world of IoT devices, where vendors compete to sell complete, miniature computers such as webcams, weather stations, or digital doorbells for a few tens of dollars at full retail price, just how much of their design and development budget gets spent on security?”
Equally importantly, how much of the revenue taken in by the vendors of super-cheap IoT devices is spent on fixing and patching any bugs that are discovered in their products after they’re released?
Even worse, if unpatched and potentially dangerous IoT bugs do get reported, how can you be sure whether those bugs affect any devices you own?
Hundreds of apparently independent “vendors” often end up selling identical devices, based on identical hardware and supplied with identical built-in software, complete with identical bugs.
Yet the product names, branding, packaging, and appearance may seem completely different at first glance.
As a result of this cut-throat, low-margin marketplace, the theory and practice of cybersecurity at the bottom end of the IoT market has lagged very many years behind the still-not-yet-perfect world of higher-value products such as high-end mobile phones, laptops, and so on.
Indeed, there’s a widely-repeated and cynical joke in cybersecurity circles that says, “The S in IoT stands for security.”
In the automotive industry, identical core vehicles sold under different brands are usually known as badge engineered, given that it’s mostly the badges glued onto the bodywork that vary between the models. In the pile-them-high-and-sell-them-cheap world of IoT products, this is often referred to as whiteboxing. Each “brand” gets to choose not only its own product name, logo, color and packaging, but also to vary the entire look-and-feel of the product by using visually different external plastic mouldings to make the device look different from the sea of otherwise identical products in the market.
Cheap IoT devices often end up:
The irony and the dangers are glaringly obvious when a low-cost, low-security device, shipped full of bugs that can never be patched or updated, nevertheless requires direct access to your home network and the internet before it will function at all.
Finally, after many years of dancing around the problems of allowing cheap IoT devices to flood the market, often with little or no regard for security, the US government has announced the official launch of a service dubbed US Cyber Trust Mark for what it refers to as consumer connected devices.
Devices that pass a series of basic tests led by a chosen third-party cybersecurity label administrator (CLA), named as UL Solutions (formerly Underwriters Laboratories), will be entitled to tag their products with a Cyber Trust Mark logo.
Products with the logo will be required to put a web link, including a QR code, onto their product packaging, linking to online documentation that describes the steps that users must follow to set the device up as securely as possible.
The goal, according to the US Federal Communications Commission (FCC), is to balance the popularity and convenience of connected devices with the online safety and cybersecurity that users should reasonably expect:
Consumers rely increasingly on the convenience of wireless interconnected smart products, also known as the Internet of Things or IoT. You can link your garage door opener, your front door lock, your house alarm, and your lights so everything opens, unlocks, and turns on when you get home. Once inside, you can keep an eye on your baby from the living room, where you can shop using a voice-activated device — to name just a few examples. But with this convenience comes risk. IoT products can be susceptible to a range of security vulnerabilities.
To help address this, the FCC is creating a voluntary cybersecurity labeling program for wireless consumer IoT products. The program builds on significant public and private sector work on IoT cybersecurity. And it will rely on public-private collaboration going forward.
Although announced with some fanfare in January 2025, the Cyber Trust Mark system is still a long way short of where we really need to be, not least because:
Unfortunately, it seems that vendors will still be able to ship products that don’t take security into account at all, although they will at least be compelled to own up to their casual attitude to cybersecurity before you buy their devices.
Notably, Cyber Trust Mark products will apparently need to admit up front:
In conclusion, the Trust Mark is a welcome start (or it will be when it finally reaches products in the US market), but it’s unlikely to be enough on its own to force the consumer end of the IoT market into taking cybersecurity as seriously as it should.
As consumers, the real power lies with us: If in doubt, don’t roll it out!
Don’t rely on online reviews or social media writeups to judge the security of an IoT product.
Find a technical friend whom you know, and like, and trust, and invite their opinion instead.
And don’t be afraid to listen to them if they advise you against using a product that you already paid for – permanently removing an insecure device from your network is a valid and effective cybersecurity precaution, even if it condemns that $19.99 baby monitor to a disconnected life on the shelf!
Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!
Featured image of circuitry by Gavin Allanwood via Unsplash.
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.