Imagine reading a headline in tomorrow’s news that said your neighbor’s identity had been stolen and their life savings were laundered by criminals who entered through their “smart” washing machine.

Funny, you say? Well, have you checked your home Wi-Fi network recently?

You can have some connected home appliances and other Internet of Things (IoT) devices connected wirelessly through a router configured incorrectly without firewall settings. Is the firmware current? Are the security patches updated?

Still not convinced that this is a serious problem? Then consider this shining example of how dangerous an outdated device can be.

In June, NAS owners of Western Digital My Book worldwide discovered that their devices had been mysteriously restored to the factory and all their files had been deleted. My Book Live and My Book Live Duo are personal cloud storage devices.

When WD product users tried to log in through the web dashboard, the devices responded that they had an “invalid password”. Owners of WD My Book could no longer access the device through a browser or an application.

My Book Live and My Book Live Duo products suffered data loss due to a security incident, according to the Western Digital website. WD informed customers that the company would cover the costs of qualified users with qualified products to recover their data using data recovery services (DRS) provided by a vendor selected by Western Digital.

The company promised to cover the costs of sending the qualifying product to the DRS vendor and for the data recovery service. Any recovered data will be sent to the client on a My Passport machine.

Western Digital confirmed that “some My Book Live devices are being compromised by malicious software”. The company also confirmed reports that this has led to a factory reset that erased all data on some customer devices.

The My Book Live device received the final firmware update in 2015. The June 2021 statement from Western Digital suggested that users disconnect their My Book Live devices from the Internet to protect the data on their device.

The My Book Live vulnerability shows that there is still a long way to go in IoT security. Much attention has been paid to such devices not being rigid or built to best practice, according to John Bambenek, threat intelligence consultant at Netenrich.

“In this case, we see that equipment is being built that aims to exceed the supporting commitments of their vendor; so not only are they vulnerable, but consumers can also be protected. “Whether it’s data loss, ransomware or DDoS, these issues will continue to recur until vendors commit to protecting their customers,” he told TechNewsWorld.

Wrong business model

The original equipment manufacturers (OEMs) do not take any responsibility for this fiasco, as their aging-related equipment is no longer on sale.

However, most customers are not aware that these devices have an expiration date and consumers are not warned of the dangers of continuing to use uncontrolled firmware, with countless outdated devices waiting to be infiltrated by opportunistic attackers. , suggested Asaf Ashkenazi, COO in related equipment security firm Verimatrix.

“OEMs either need to transform their business model to support a long-term software update service or install more sophisticated technology that would make hacking these devices much more difficult,” he told TechNewsWorld.

Ashkenazi is not directly blaming the OEM industry for problems like the Western Digital fiasco. The problem is with the business model. There are no standards to regulate how IoT equipment should be maintained and secured.

“Unfortunately, I do not see anything addressing security standardization in these IoT devices. Maybe the government or consumer protection, or some companies will decide to build a consortium that means who is responsible,” he said.

There is definitely a need for more transparency regarding the level of software support on these devices. Nothing can be done to address the problem until the industry decides to take on that challenge, he added.

Consumer Education and Pressure

It will take an educational awareness effort to make consumers aware of the inherent risks in purchasing unsafe IoT equipment. This could then translate into enabling consumers to consider device security as part of their purchasing decision, Ashkenazi suggested.

Most consumers are now unaware that endemic devices for their family can connect to the internet through their wireless routers. If they have a device that connects to the network, they need to make sure the device software is up to date, he added.

“When the software is no longer updated, the device could be dangerous to use,” he warned.

The goal, as Ashkenazi sees it, is to protect consumers first. He then hopes that consumers will put enough pressure on manufacturers that companies will start saying how long they will support the software.

Apple, Google and some other big companies are saying this about certain devices. But for many other devices, companies after six months or so stop supporting them. Consumers continue to use these abandoned devices because otherwise they seem to work well, he said.

Unclear responsibility

Consumers need to be just as punctual as corporate businesses when it comes to cyber security. Enterprise security teams understand that vulnerabilities come in all shapes and sizes, noted Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, a SaaS provider for corporate cyber risk correction.

“In the case of Western Digital My Book Live devices, threat actors took advantage of a number of daisy-related circumstances to erase data from exposed disks. Consumers should have known to keep the unit firmware patched and “Drives connect to the Internet only when needed. However, where does the responsibility fall? For the consumer or for Western Digital? There is no clear answer,” he told TechNewsWorld.

One of the major problems with IoT security at the moment is that rushing to trade often deprives us of the advantages of security measures to be built into our devices. This issue has made many IoT devices low fruit for criminals interested in stealing sensitive data and accessing exposed networks, noted Stefano De Blasi, threat researcher at Digital Shadows.

“Furthermore, criminals can exploit vulnerable products by harnessing their computing power and orchestrating massive IoT botnet campaigns to disrupt traffic to targeted services and spread malware,” he told TechNewsWorld.

Blind Points of Cyber ​​Security

IoT security, or lack thereof, suffers from industry shortcomings. The main issue is that traditional vulnerability management tools do not scan the operating system. Thus, they do not reveal any security issues or vulnerabilities in the firmware layer, according to Baksheesh Singh Ghuman, senior global director of marketing and product strategy at Finite State related hardware security firm.

“The secondary issue involves hardware manufacturers, who are often responsible for performing device security despite usually lacking proper security controls to scan for vulnerabilities in the firmware layer,” he told TechNewsWorld.

Manufacturers It is important that manufacturers do a thorough analysis of vulnerabilities of any kind, and if they discover any, inform potential users of available firmware updates and patches, he recommended.

“The process is a highly reactionary process, unlike the proactive automated process found in enterprise vulnerability management practices. “As a result of these factors, firmware vulnerabilities are often ignored and become blind spots of cyber security that attract the attention of threat actors,” Ghuman said.

Complicated IoT Security

Depending on the industry and application, providing a weapon is not always available. In the case of consumers, patching is a two-way process, according to Ghuman.

First, the device manufacturer needs a standard update process to push improvements / patches to their devices. The second step requires spreading consumer awareness about the need to improve and fix vulnerabilities.

“This is quite challenging because it requires constant memory and education about online safety hygiene,” Ghuman said.

Hardware manufacturers could take some steps to prevent more episodes like the Western Digital dilemma, he suggested. They include:

  • Ensuring that there is a product safety group within their organization;
  • Include firmware layer vulnerability management as part of overall product development and product security software, so that they can detect firmware layer vulnerabilities before they are distributed;
  • Actively scan for exploitable vulnerabilities in their firmware and, if detected, quickly develop patches; AND
  • Having a standard and secure firmware update process in place, which delays patches when they become available.

The inevitable goal

Switching the consumer to a preference for early digital interactions will increase the potential threat landscape that can be targeted by attackers, observed Tyler Shields, CMO at JupiterOne. More applications, more cloud data, more digital experiences, mean more targets of opportunity and chance.

“There will be a steady increase in data compromise as we move more and more out of our daily lives into the cloud. We are really just beginning to see the expansion of digital experiences and the attacks that will grow along with them, “he told TechNewsWorld.

Safety is always offset by the ease of use. The cybersecurity vendor community needs to move toward creating easy-to-use cybersecurity experiences that provide an acceptable level of security for the technologies consumers require, according to Shields.

A good example of this is switching to single authentication and no password. Users have not been able to maintain proper passwords for decades and this situation will never change. Therefore, innovation must build an easy-to-use alternative that ensures proper security with a much better user experience.

“Enterprises need to find the right balance of technological innovation alongside security for traditional models,” he said.