Many of today’s IoT devices, including those from well-known manufacturers, originate from a franchise or OEM concept. This means that the actual manufacturers (often in Asia) design an IoT platform (based on microcontrollers, for example), devices (LED strips, climate controls, switchable sockets) and the complete back-end communication platform including mobile apps with white-label capabilities. The OEM taker selects the appropriate devices from the catalogue (or creates their own based on the microcontroller architecture and firmware provided), customises the branding and can then launch IoT devices under their name with minimal effort.
All the hard work such as hardware development, firmware, mobile apps, integration into voice assistants (clouds) and the operation of the backend in the background is purchased entirely as a service. The OEM customer can therefore play in the lucrative IoT market with minimal effort. It is not for nothing that one of the largest OEM providers in the market speaks of over 11,000 different device models that run with its service.
This is absolutely not meant to be “security bashing” of a single manufacturer. This model makes sense for a variety of reasons (including time-to-market, development maturity, consolidation of resources, incident response). In addition, these services naturally offer security functions such as AAA (authentication, authorisation, accounting), tokens, encryption and so on. But even there, gaps have already become known, and completely independently of this, communication with the outside world inevitably remains. These need to be considered and assessed.
Risk assessment & evaluation
As already described, you should first check whether a device communicates with the outside. If this is the case, you should take a closer look at the communication, check its necessity and assess its risk. After all, many devices function without the internet, but some only to a limited extent. For example, many printers send information about the current ink level to the cloud. If you prevent the status data from being sent, you lose the convenience of being able to see the printer status from anywhere – but you can still print.
A particularly thorough risk assessment is required for devices that always need an internet connection in order to fulfil their most basic functions. Just imagine that just because your internet connection has a hiccup, you can no longer even switch the light on and off or operate the garage door.
But even these devices should not be categorically demonised! They often actually offer added value in both private and corporate environments. On the other hand, however, the risk associated with their use must be considered and evaluated. In doing so, it pays to carry out the assessment factually and correctly and not simply to trust one’s gut feeling. Only then can an evaluation be meaningful.
In one scenario, the use may be completely unproblematic – for example, if the devices only work in separate guest WLANs and the “phone calls home” take place far away from the productive network.
If, on the other hand, integration into the production network is absolutely necessary (for example, to control lights in photo/video studios), one must ask oneself whether the advantage outweighs the risk. If the needle is pointing in the direction of “too great a risk”, thanks to resourceful tinkerers it is now often possible to install alternative firmware versions that no longer have this external binding. Whether one wants to make the effort ultimately depends on the risk assessment.
This article was first published in the Security Newsletter of LANline, WEKA FACHMEDIEN GmbH.