What can be done?
The good news is that the larger IoT companies like Belkin are starting to respond to the problem. Young says he has seen progress in how often companies are responding to firmware problems or at least acknowledging that there is a growing problem. Indeed, when LIFX found out about the Wi-Fi credentials flaw, they patched it right away.
Because there are so many small companies making IoT devices, the problem won’t go away anytime soon. Foeckl says IT departments need to start including IoT devices in their security monitoring efforts and certification and testing processes, and that they should work with their vendors to make sure these devices are patched, tracked, and protected.
“Another important task is the development of privacy policies that inform users about the collected information and guide them to maintain a security good practice, advising on changing passwords, reporting unusual activity,” says Foeckl. “A well informed user represents a great premise to prevent data breaches regardless of the threat vector.”
Spiezle says one answer is to develop a comprehensive IoT device certification program such as OTA’s Trust Framework as a way to combat the free-for-all. Intel has also stepped up to the plate and has made security for IoT devices a bigger priority.
Ultimately, the real answer has to do with IT purchasing decisions. Dan Lyon, the principal consultant at security-as-a-service firm Cigital, says businesses need to start evaluating IoT products not only for the benefit they provide but also for embedded security features.
“Once the risks are understood, the business can start requiring the manufacturer make the systems secure and to support them in the long term.” he says. “When these aspects are used as a purchasing decision point, then the manufacturers will respond appropriately.”
That might not solve the problem with legacy IoT devices, and could even slow market adoption, but businesses (and consumers) might be able to breathe a little easier.
[Samsung responded to questions related to this article by directing CSO Online to their previously issued statements, which can be viewed on their blog.
Wink said they work with both internal and external security experts to "ensure security standards are exceeded" in addition to regular audits by third-party researchers.
"Transparency is key, and to that end, we've previously collaborated with BugCrowd on a bug bounty program for all Wink products."
When asked for more information about how they're addressing IoT vulnerabilities, Belkin did not respond to requests.]
Sign up for CIO Asia eNewsletters.