4 min Security

Amazon IoT security below par, but it is far from alone

Amazon IoT security below par, but it is far from alone

The US Federal Trade Commission (FTC) is unhappy with Amazon’s IoT devices on two fronts. Both subsidiary Ring’s cameras and Amazon’s own Alexa voice control are bursting at the seams with security abuses. IoT security once again appears to be staggeringly underappreciated.

IoT devices, often known simply as “smart” devices, exist in just about every form imaginable. Their usefulness depends on personal behavior patterns, but a zealot can now control just about anything within their own homes and beyond. However, we have seen before how things can go wrong on the security front with these “Internet-of-Things” devices.

Ring: watching and looking away

The FTC complaint (PDF) regarding Ring is crystal clear about the infringements. This company has been under Amazon ownership since 2018. According to the FTC, employees were able to watch cameras that were mostly installed in bedrooms and had access to users’ private video files. In one specific incident in 2017, a male employee was not penalized when a female colleague allegedly caught him spying on 81 women. Only when it was revealed that it was specifically about him finding them handsome was action taken.

There was no training for Ring staff to adequately handle this advanced access. In addition, security would have been lousy, allowing hackers to hijack the equipment for their own purposes. These folks could then scold, threaten or make racist remarks to users in front of children.

Alexa: tamer, but no less worrisome

The Ring example is harrowing and proves that fears that Big Tech is “watching” can sometimes be taken quite literally. In the case of Amazon’s Alexa voice control, however, there were some tamer abuses around privacy. At issue here was unauthorized data retention. Transcripts of utterances made by children were removed only when parents requested it and sometimes could not be removed from a database at all.

Amazon defends all this by arguing that it “only” wants to train AI models with user data. All nice and well and it will certainly be in the EULA when making a purchase, but it knows full well what it is doing. Anyone who buys an Alexa is paying not only in money but also in data. For consumers, an opt-in would be desirable if only because of “peace of mind,” but we are currently far from that.

All this points to a legitimate concern about Amazon’s IoT approach: both Ring and Alexa clearly entered the market with privacy as a low priority. For this, it is receiving millions in fines: $5.8 million (€5.4 million) and $25 million (€23.2 million) for Ring and Alexa abuses, respectively. Towering sums for an average startup, a pittance for a tech giant like Amazon. Unfortunately, it’s far from the only one that doesn’t have IoT security in order.

IoT world lacks standardization, except where you don’t want it to be there

As mentioned, IoT devices come in all shapes and sizes. However, a few themes often recur: a lack of security measures, vulnerable components and high connectivity. This hodgepodge creates many threats. The Cyber Management Alliance has listed a number of incidents. These range from botnets on cameras and recorders to the hacking of nuclear facilities and the unauthorized remote control of Jeeps. Why all these vulnerabilities?

We can turn to Trend Micro. This security specialist identifies limited computer power and alternate transmission technology as root causes for these problems. However, in another area there is standardization, albeit unintentional: usernames and passwords. Hackers easily get into many IoT devices simply because they use the “factory default” passwords and usernames. Thus, we do make it very easy for hackers.

In short: Amazon may be getting punished today, but it will by no means be the last to deserve the FTC’s fury. As a large company, it has the capabilities to move beyond the current abuses, while smaller companies may not have the infrastructure to keep this under control. By no means will all existing smart devices be patched to ensure better security, leaving it up to the consumer or organization not to be grazed by hackers. In this way, we see that the well-known challenges of hardware and software security have begun to apply to countless smart-devices in recent years. It remains to be seen when IoT security will get the attention it deserves.

Also read: NTT and Cisco come up with IoT-as-a-Service