How vulnerability disclosure keeps you and your family safe

By on Feb 26, 2020

Surrounded by smart home devices as well as apps which integrate with other services, we are entering an age of consumer technology where everything can talk to everything. For most consumers, this will just feel like the next logical step in a technological advancement which has been going on for decades.

This year, we will see more companies announce more new smart products than ever before, and we know that while some of these devices and services will become enormously successful, others will sink without a trace. From doorbells, kitchen scales and coffee cups to fridges and even cars, thousands of companies are racing to build the next generation of smart – and nobody knows for sure what will take off.

What we do know for sure, however, is the potential threat that it can represent – or, for cybercriminals, the opportunity. While, for home users, having products which talk to each other goes along with portability and power as a part of general technological progress, in terms of security this change is unlike anything else. Every IoT device we buy is another route that an attacker might use to do damage and make money. With so many options around, how can you buy in to the convenience of connected devices in your home while also ensuring that you’re keeping yourself safe? Fundamentally, it’s not about whether products might have vulnerabilities, but how companies react when vulnerabilities are found.

Everything connected

There is no single type of cyberattack used against connected consumer technology. At their simplest, attacks on unsecured IoT consumer devices might affect only the device itself. For instance, a smart lightbulb might be taken over and its internet connection used as a tool to attack other targets: concerning, but not directly damaging to the lightbulb’s owner. These attacks are more troubling, however, when the attacker is stealing not just an internet connection, but its owner’s identity by compromising their login details.

An even more serious concern for users will be situations where a device’s functionality can be controlled by somebody other than the owner. Recently, McAfee’s Advanced Threat Research team found a worrying example of this where a smart garage door can be tricked into opening when the owner thinks they are closing it remotely – for instance, after opening it to allow a package to be delivered while they are at work. Our team also found a vulnerability in a smart plug which, when carefully exploited, can potentially grant access to anything else on the same home network, such as computers, televisions, and security systems. And, most recently, we also identified a new vulnerability in autonomous vehicles which I discuss in a previous blog.

Working together

Finding vulnerabilities which an attacker might be able to take advantage of is a difficult and highly specialised job. At McAfee, our research teams use techniques similar to those that criminals might employ to try and get there first.

Of course, telling the world about these problems as soon as we find them would give criminals a chance to use them before the companies that make the products have chance to solve them. That’s why we, like other organisations doing this kind of work, follow a responsible disclosure policy: first, we tell the company concerned about what we found, and then, after a set period of time, we log a public notice (like this one for the smart plug vulnerability) which puts this information in the public domain. That way, businesses have both the time and the motivation to fix the flaw.

The good news is that all of this gives us specific steps to take which can help ensure that our connected lives are also secure lives:

  • Research products up front: searching for the product name plus ‘vulnerability’ should quickly show whether any research teams have identified problems with it, whether they’ve been fixed.
  • Give cybersecurity researchers time: while brand new products are exciting, choosing a device which has been on the market for some time makes it more likely that any major vulnerabilities will have been discovered.
  • Keep your technology updated: being connected means that problems with IoT devices are usually fixable with new software, so regularly checking for any new updates will minimise the chances of being caught out.

While groups like the McAfee Advanced Threat Research team are working hard to find potential attacks, it is also critical that the companies making these products have what we call vulnerability disclosure programmes. These programmes are used to encourage research groups to probe the security of the products and reassure the world that the company will respond positively where vulnerabilities are found. These steps, after all, are only useful if companies are actively seeking to ensure that their products are secure.

For example, leading smart lightbulb manufacturer Philips has a dedicated webpage explaining how to safely report a vulnerability to the company – meaning that if and when a problem is found, the details will be seen quickly by the right people and, hopefully, remedied. Apple and Google go one step further by offering bounties of up to $1 million for finding problems in their software, incentivising researchers to throw everything they have at uncovering issues. While it cannot guarantee safety, a vulnerability disclosure programme should be seen as a precondition for buying a connected device from a manufacturer.

By being smart about your home’s smart devices, together with familiar measures such as using strong, unique passwords, you can enjoy the convenience of connectivity while also protecting yourself online.

About the Author

Raj Samani

Raj Samani is Chief Scientist and McAfee Fellow for cybersecurity firm McAfee. He has assisted multiple law enforcement agencies in cybercrime cases, and is a special advisor to the European Cybercrime Centre in The Hague. Samani has been recognized for his contribution to the computer security industry through numerous awards, including the Infosecurity Europe hall ...

Read more posts from Raj Samani

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to McAfee Securing Tomorrow Blogs