There are no winter breaks on the darknet: Our top 10 IoT cyber stories of Q1 2020

Let’s start with some good news: the IoT industry is becoming more accountable for security in multiple ways, including by beginning to develop cybersecurity safety standards. 

In the past year, we’ve seen significantly higher awareness about cybersecurity risks and new security measures being implemented by some of the top IoT manufacturers. This means that the industry is doing what innovators do so well, learning from history and evolving by avoiding the mistakes of others in the past. That much for the good news. 

The not-so-great news? Hackers are highly innovative too, and evolve their skills as well. Since hackers are always working on new attack methods, the industry still has its work cut out for it.

As you’ll read below, in the first quarter of 2020, IoT devices were still incredibly vulnerable and suffered a wide range of cyber attacks and their financial and public relations consequences. It means that we, as an industry, are maturing but must remain vigilant to stop new attacks. 

The vulnerability of IoT devices is a hot topic in security circles and stems from a few inherent qualities and problems. IoT devices are (rightfully) considered low-hanging fruit by hackers, who view them as relatively unsecured gateways to access sensitive data or other devices on a network. With new smart devices launched daily, firm security protocols aren’t fully implemented by manufacturers, making things easier for hackers and more dangerous for consumers. Here are a few examples of the top cyber stories that caught the attention of the media in Q1 2020:  

1. The connected vacuum that you can’t trust to only clean dust  

  • The incident: A smart vacuum with vulnerabilities was presented as a ripe target for remote attacks, including denial of service (DoS) and camera hacks. 
  • Timing: During the RSA Conference 2020 
  • Geography Impacted: Unspecified. 
  • Implications: The device and its security flaws were featured in a report by security company Checkmarks, which isn’t the type of PR manufacturers hope for. Beyond just brand impact, we bet sales were impacted (a Google search performed during the purchase process generates top results of news mentions about this security issue, which is naturally a big turn off for consumers.)  

2. New malware targets IoT devices that use Windows 7

  • The incident: With Microsoft announcing that it will no longer issue security patches for Windows 7, around 200 million devices using the operating system are now more exposed to threats.   
  • Timing: From January 2020 
  • Geography Impacted: Manufacturing sites across the globe.

Implications: This malware was discovered by TrapX security. Embedded OT IoT devices are not easily updated, and often need to be replaced to upgrade to new, more secure operating systems. Having devices running legacy operating systems leaves networks open to attack, risking employee safety, disruption of production and, in some cases, loss of sensitive data. The malware’s infection can cause IoT devices to malfunction, affecting workers on the manufacturing floor, causing delays in supply chains and damage to brands’ reputations.

3. Lights out for Philips Hue’s smart light bulbs

  • The incident: A drone was able to hack smart bulbs and set a virus-like reaction. 
  • Timing:  February 2020, re-exposing an issue was first reported 4 years prior. 
  • Geography Impacted: Networks with Philips Hue bulbs globally, even outdoors. 

Implications: This isn’t the first time smart bulbs made headlines and bad PR. The potential monetary damage includes home break-ins and possible lawsuits. This vulnerability is not limited to Philips Hue bulbs and hubs: It’s in the Zigbee protocol used by many home IoT brands, including Ring, SmartThings, Ikea Tradfri, Belkin’s WeMo, Yale locks, Honeywell thermostats, and Comcast’s Xfinity Home alarm system. This makes the implications broader and costlier.

4. Security has left the (smart) building

  • The incident: Hackers target access control systems for smart doors and buildings with DDoS attacks. 
  • Timing: February 2020. First reported May 2019 by cyber firm Applied Risk. 
  • Geography Impacted: Everywhere, including office building, factories, industrial parks and private homes. 

Implications: More than 2,300 buildings were affected by the hack, putting many properties as well as the companies behind the systems at risk and harms manufacturers’ business.

5. The Ring app’s third-party hack will make your ears ring

  • The incident: The Android Ring app was found to include third-party trackers that sent personally identifiable information (PII) to external companies!
  • Timing: The issue was reported in late January 2020. 
  • Geography Impacted: With third-party entities involved, the incident has widespread global influence across all Android Ring users.  

Implications: The incident was reported through an investigation by the Electronic Frontier Foundation (EFF). We also expect this to affect companies that received the information from Ring. 

6. Consumer Reports raises IoT security standards

  • The incident: Product testing and review platform Consumer Reports announced new security standards for cameras, doorbells, and other security systems via a letter sent to 25 connected devices manufacturers. 
  • Timing: The letter was published in January 2020. 
  • Geography Impacted: n/a

Implications: This is good news. Manufacturers were asked to submit their new security practices by late January 2020.

7. Manufacturing sites globally affected by new malware campaign

  • The incident: The reported malware campaign targets manufacturing sites’ flaws and infiltrates a wide range of connected products using a self-spreading downloader running malicious scripts. 
  • Timing: The issue was first reported in October 2019, expanding ever since. 
  • Geography Impacted: Manufacturing sites located in Latin America, North America, Africa, and the Middle East. 

Implications: The global spread and variety of affected devices, combined with one of the most expensive industries to disrupt makes for a costly crisis.

8. Will Sonos continue supporting its legacy products?

  • The incident: Wireless speaker maker Sonos announced it will no longer update features for its legacy products, then backtracked following public outrage. 
  • Timing: Late January 2020. 
  • Geography Impacted: Global.
  • Implications: The initial announcement caused a PR crisis for the company, which forced the CEO to issue a corrective statement. 

 

9. Survey says: Enterprises are unprotected 

  • The incident: A survey conducted by the Ponemon Institute found that 60% of enterprises report insufficient ability to detect and respond to Public Key Infrastructure (PKI) breaches.
  • Timing: The survey was published in February 2020. 
  • Geography Impacted: The United States and Canada. 

Implications: We feel the implications of unsecured smart infrastructure devices daily. Perhaps admitting that there is a problem is a positive step. 

10. Survey says: Enterprises are unprotected 

  • The incident: A survey conducted by the Ponemon Institute found that 60% of enterprises report insufficient ability to detect and respond to Public Key Infrastructure (PKI) breaches.
  • Timing: The survey was published in February 2020. 
  • Geography Impacted: The United States and Canada. 

Implications: We feel the implications of unsecured smart infrastructure devices daily. Perhaps admitting that there is a problem is a positive step. 

Some of the  incidents referenced above prove what we demonstrated at CES 2020, where we showed how a smart vacuum cleaner can be hacked. Accessing IoT devices that lack proper security measures is easier and riskier than we think. Watch the demo here.

An overdue influx of regulations 

We started this post by mentioning that the industry seems to be heading in a more secure direction, including relevant regulations in the field. 

Regulations are usually created when the risk becomes too significant to be ignored or managed on an opportunistic basis by each private party, according to its specific beliefs and attitude. 

New laws include CCPA in California, the national Developing and Growing the Internet of Things (DIGIT) Act, IoT-focused laws introduced by the UK government, and there’s even a new voluntary tool created by the National Institute of Standards and Technology (NIST). 

IoT manufacturers who still haven’t adjusted to the new security standards will have no choice but to do so soon. 

We’ve come a long way as an industry and have the support we need to keep pushing for better IoT cybersecurity measures. As new and improved security standards are being embraced across the board, we’ll be able to enjoy even greater interest in IoT device adoption everywhere.

Book your personalized product demo today

We use cookies to ensure that we give you the best experience on our website.