“A Flood of Cheap [IoT] Devices With No Long Term Support or Security Considerations” An Interview with Matthew Garrett
Matthew Garrett is a Principal Security Engineer at CoreOS, Member of the Free Software Foundation board of directors and an avid blogger on anything from security to recent discovered vulnerabilities found in operating systems. However, he might be best known for his numerous Amazon reviews that looks at the security of IoT devices and rates them based on how secure they are.
Matthew has reviewed IoT devices from Baby Monitor WiFi cameras to numerous Bluetooth light bulbs to wireless ‘smart’ electronic sockets. His reviews have earned him praise among the security community and potential consumers alike, but manufacturers and organizations have been less than pleased, as TechCrunch and The Verge have reported.
The lack of security in IoT devices is a subject we’ve covered in the past and since then, we’ve seen what the consequence of IoT security compromise can lead to. Back in September, the internet’s biggest DDoS attack, peaking at a 1.1TB/sec attack, affected a French web hosting site, with over 145K hacked cameras participating in the attack as part of a major botnet.
We spoke to Matthew Garrett about his reviews, his motivation, and his perspective on IoT device security and what consumers and organizations can do to protect themselves.
SSC – Your Amazon reviews are pretty popular and take a security perspective on the products you’re reviewing. What was the impetus for starting these reviews?
MG – To begin with, I was just sort of horrified at how insecure some devices I’d bought were. I’d bought a couple in the hopes of reverse engineering their protocols in order to bridge them into my existing home automation setup, and it seemed useful to be able to publish that code. What I found was that they were typically very limited in terms of how much security they were providing to their users, and there didn’t seem to be any straightforward way to communicate that to potential purchasers other than leaving reviews.
SSC – Has your motivation changed in any way as you’ve continued to review products?
MG – At this point I’m not really buying devices with the aim of using them myself, more in terms of making it easier for others to make use of them (and, with luck, avoid insecure devices!)
SSC – It seems like you’ve come across a couple of complications stemming from your popularity and reviews. What was your reaction when one manufacturer’s representative asked you to take down a review or else they’d lose their job? Has it affected the way you approach reviews now?
MG – At first this seemed vaguely horrifying, but now it’s more just a sort of resignation at how manipulative these vendors are willing to be. It’s unsurprising that someone would be unhappy that I leave a bad review, but it’s also necessary that people do something about it.
SSC – Are these reviews an ongoing project or are you working towards a specific goal?
MG – No specific goal. It’s slowed down a little recently because I’ve had much less free time, but I’m still working on it.
SSC – Besides the more publicized reactions from manufacturers, have you received any other feedback or word the companies behind the products you’ve reviewed? If so, what’s the general attitude?
MG – There have been occasions when vendors have thanked me for the feedback and promised to improve the devices, but it’s more frequent to either receive silence or just straight denials that there are any security issues.
SSC – What about from the general public? It seems like you’re a pretty popular Amazon reviewer given the niche area (IoT products) so I wonder what the response has been in general?
MG – Everyone I’ve heard from has been enthusiastic about it. It’s difficult for people to make informed decisions right now, so they feel it’s useful.
SSC – Why do you think IoT products are so lax in security? It seems like every week a new vulnerability or hack is discovered.
MG – They run software, but the people producing them don’t usually have any background in managing software or security. They’re asked to make something work, not to ensure that it doesn’t leak private information or allow remote control. IoT security really needs manufacturers to realise that what they’re doing is as important as any other network facing service and prioritise appropriately.
SSC – Given the security risk of these IoT products, who do you think will be impacted most, consumers or organizations?
MG – Good question, and I don’t honestly know yet. Organisations are more likely to be purchasing from larger vendors who are more likely to have carried out security audits, but even then there’s a real risk of it not being good enough. They probably have more to lose.
SSC – Aside from reading your reviews, what do you think consumers can do in order to safeguard themselves against the poor security found in IoT devices?
MG – The best advice I can give is purchase from known vendors who at least have some chance of releasing firmware updates that fix security issues.
SSC – What advice would you give to heads of security in enterprise or large organizations?
MG – Keep a very close eye on anyone bringing any kind of IoT device into work!
SSC – You’ve been working in the IoT security space for a long time, how has the space changed?
MG – Some vendors are beginning to pay attention – I’ve seen bug bounties from more than one, and that’s a really good sign. But we’ve also seen a flood of cheap devices with no long-term support or security considerations during design, and that’s a significant consumer risk.
SSC – How do you predict the security space will change in the next 5 years?
MG – I’m hoping that we’ll see this issue being taken seriously not only by manufacturers, but by companies selling them. You wouldn’t sell a device that was known to cause fires – the same sort of consideration should be made about selling known insecure devices.
Endpoint Security is one of the ten security categories measured in SecurityScorecard’s platform, showing organizations open access points that may be exploited by malicious hackers snooping around for a way into a network. If you want to know what your Endpoint Security score is, check your Instant SecurityScorecard below.