It's a headline problem. Typically these issues are labeled as "all of IoT is terrible".
For as many of these REAL security issues we face, there are many stories published that have no real-world impact.
Examples:
The story from defcon (or blackhat, cant remember which) about installing ransom-ware on your smart thermostat.
The headlines were all "Hackers make thermostat ransom-ware" or "Your smart thermostat is now vulnerable to ransom-ware"
A few points:
- It required local access
- It required an SD card reader
- It also required the thermostat run a local HTTP server
Another decent example were the SmartThings security holes from earlier this year:
- It was mostly an oauth2 authorization issue (applications requesting grant types it didn't need)
- The apps were actually independently developed (not ST official) and took some technical knowledge to deploy yourself
- The rest were known security issues in the Zigbee protocol that SmartThings has little control over. Similar to this article.
Or the botnet of cameras which is probably the most high-profile example and most relevant are labeled as "The IoT brought down the internet"
That's a lesson for the makers of those cheap DVRs and Cameras, it was also a lesson in user documentation to avoid them doing stupid things. That's the only example in recent years I've seen that goes anywhere, but the problem is it's drowned out by nonsense and clickbait headlines.
For as many of these REAL security issues we face, there are many stories published that have no real-world impact.
Examples: The story from defcon (or blackhat, cant remember which) about installing ransom-ware on your smart thermostat.
The headlines were all "Hackers make thermostat ransom-ware" or "Your smart thermostat is now vulnerable to ransom-ware"
A few points: - It required local access - It required an SD card reader - It also required the thermostat run a local HTTP server
Another decent example were the SmartThings security holes from earlier this year: - It was mostly an oauth2 authorization issue (applications requesting grant types it didn't need) - The apps were actually independently developed (not ST official) and took some technical knowledge to deploy yourself - The rest were known security issues in the Zigbee protocol that SmartThings has little control over. Similar to this article.
Or the botnet of cameras which is probably the most high-profile example and most relevant are labeled as "The IoT brought down the internet"
That's a lesson for the makers of those cheap DVRs and Cameras, it was also a lesson in user documentation to avoid them doing stupid things. That's the only example in recent years I've seen that goes anywhere, but the problem is it's drowned out by nonsense and clickbait headlines.