Risks to Consider Before Buying a Smart Home Device

People are increasingly buying voice-activated speakers (also called digital voice assistants or intelligent personal assistants) and other smart devices for added convenience, enhancing security, and also for entertainment purposes. But doing so blindly, without assessing risks involved with such technologies, can give intruders an accessible window into our homes and personal lives. Here are some risks that you may want to consider before purchasing a smart device for your house:

Listening In: Many new devices are being manufactured with built-in microphones. New generation devices falling in this category include for instance smart speaker systems such as Amazon Echo and Google Home,  and as well smart TVs, TV streaming devices, and Internet-connected toys. Many of these devices are constantly listening in for your commands and when they receive them they connect to corporate servers (can be located anywhere in the world) to satisfy your request.  What if you are having private conversations at home? Are these getting sent to the Internet without your awareness? Indeed, some devices just do that (yes, you may have unknowingly already accepted the vendor’s privacy policy or terms-of-use if that exists!). What can you do then? Well, devices typically have a mute function that disables the device microphone(s). But the question remains, can we actually verify what the manufacturer promises? Further to that, if data is sent over the Internet can it really be removed? I highly doubt that.

Watching You: Cloud security cameras let you check in on your pets, children, and your home status, when you are away, typically through your smartphone, tablet, and other handheld computing devices. Some devices routinely send video footage to online storage automatically while others do so when triggered, example by a motion sensor (typically signalling that an intruder or an unauthorized visitor is nearby). Reputable brands are likely to take security seriously, but no system is bulletproof. If you want to stay extra vigilant then you might want to turn the camera to face the wall or just unplug it altogether when you do not intend to use it. However, this is not a viable solution for many. Thus, my suggestion is that you should carefully inspect the device technical specification and assess whether the company is taking security and privacy seriously!

Digital Trails: Smart locks let you unlock doors from anywhere with an application installed on your digital devices. With this, you can let in guests even when you are away or when you have your hands full with other things (yes you can also connect your smart lock with a digital voice assistant). Similarly, landlords can automatically disable your digital key when you move out, and parents can keep an attentive eye on the time their beloved teens are coming back home. At the same time, intruders might try to hack the system not only forcibly with hardware tools but also through software hacking tools. Smart locks also pose a risk to privacy as usage of such keys leaves a digital trail. This trail can also be used in forensic investigation. This is an added attack surface that these digital devices bring into our lives, into our homes.

In this article, we scratched the surface of risks brought forth by smart devices. If you want to learn more about risks when purchasing smart home devices and as well about the different types of intruders spying on your home take a look at my paper.


BYOD – Risks and Mitigations

Bring Your Own Device (BYOD) is a policy that allows employees to bring their own devices to the workplace and use them there. This attracts and helps keep employees happy. At the same time, it saves a few bucks to the company as they may not need to procure new hardware. But BYOD implies that an employee can use his own device to access and use corporate resources.

This brings security risks to an organisation:

  • People outside the company can get access.  Access by company outsiders can happen due to devices being stolen or by people leaving the company.
  • Devices leave the company environment.  Devices brought outside the company offices are still carrying important information and may be used to access insecure networks elsewhere.
  • Devices might not be updated with the latest security patches.  BYOD devices might not be protected as extensively as the devices that are under direct control by the companies IT department.

 To limit the downside and keep possible damage to a minimum, it helps to:

  • Have a clear policy and rules to enforce it.  A well thought out policy about BYOD allows an organisation to set rules that everyone understands including the reasoning behind them, that is why they are needed.
  • Have an active mobile device management solution.  Even if there are no mobile devices owned by the company itself, there needs to be mobile device management to keep the company-controlled data and applications separated from the private ones.
  • Use strong authentication and encryption methods.  Strong authentication enables an organisation to identify and hold accountable the owners of stolen devices. Encryption can also keep communications and data safe from prying eyes.

BYOD allows a more fluid and flexible working environment. At the same time, it pokes the perimeter of a company with new security risks. In mitigating these, a strong cybersecurity policy and clear security controls must be implemented as we touched on in this article.

Docker Security Concerns

Docker is a popular platform for OS-level virtualization instances known as containers. Flexible containerization is completely changing the way we build and maintain applications at scale.

With positivity and momentum of growth in mind, we must keep information security in mind. Let’s take a look at four potential threats and strategies to help secure your container deployments:

1. Vulnerable images:  Anyone can publish a new repository on Docker Hub, so check that you’re familiar with the project maintainer before deploying. Running untested builds from spurious sources may lead to the unintentional introduction of vulnerable components, or even malicious code execution. It is best to check for the official Docker Store and “Certified” program that offers a variety of assured and deployment-ready packages. Paid plans on the Hub feature a “Security Scanning” tool that can check images for known vulnerabilities.

2. IAM breaches:  Cloud providers, such as Amazon Web Services, aim to provide hardened Identity and Access Management (IAM) role structures by default. These can be used in tandem with your Elastic Compute Cloud (EC2) instances for example to ensure your users have been issued the appropriate access rights as per the Principle of Least Privilege. When deploying containers ensure that your registry is sufficiently protected, possibly with two-factor authentication.

3. Excess resource usage: By default, a Docker container has no resource constraints. As a result, actively deploying containers without resource limits could lead to severely degraded host performance. Make sure to set limits on memory, bandwidth and disk usage to mitigate performance issues. Such issues could be caused also by malicious code (such as denial of service code execution).

4. Container breakouts: An adversary that gains access to one of your containers should not be able to move laterally to other containers or the Docker host. However, Docker is evolving quickly and privilege escalation exploits may arise, so take care to build infrastructure with a layered defense-in-depth approach in mind.