Window-dressing the backdoor

Published Dec 29, 2019 by Xiph

Government’s half-baked cyber security crackdown tiptoes in the right direction.

Dutton’s new code of practice is one rung above an empty gesture, but the faint silver lining is that the exponential rise in security threats is receiving mainstream attention.

Recently, Home Affairs Minister Peter Dutton announced the introduction of a draft code of practice aimed to see companies make a concerted effort in tackling cybercrime. The code acknowledges that modern web-connected devices including smart TVs, smart watches, home speakers and other household appliances are riddled with substandard security features and asks device manufacturers, Internet of Things (IoT) service providers and app developers to improve on a series of behaviours, including:

• Implement a ‘vulnerability disclosure policy’
• Keep software securely updated
• Ensure that personal data is protected
• Minimise exposed attack surfaces
• Ensure communication security
• Make systems resilient to outages
• Make it easy for consumers to delete personal data

This list would be all well and good, even great, if not for one glaring issue. Dutton’s code holds about as much authority as the unwritten rule that a driver should thank another driver for any act of on-road kindness. That’s right, the code of practice is entirely voluntary and therefore seems nothing more than posturing and Dutton’s statement does need even attempt to disguise it:

“The safety of Australians and the security of our economy is paramount. That’s why the Morrison Government has developed a voluntary Code of Practice to inform industry about the cyber security features expected of these devices in Australia.”

Preaching to the (comparatively tiny) choir

The reality of Dutton’s code is that it’s unlikely to entice the efforts of companies who have previously paid (or could only afford to pay) the bare minimum of attention to security and privacy. Kevin Vanhaelen, APAC regional director of cybersecurity firm Vectra AI, spoke to the code’s shortcomings:

“…voluntary codes of practice will likely only attract organisations who are already proactive and bought into addressing the issue the code seeks to address.

“In reality, the vast majority of IoT devices, particularly those aimed at consumer use, will have some vendors and supporting supply chains that simply don’t have the resources, skills, or even the will to meet the framework’s recommendations.”

This lack of official mandate is made worse by the fact that since early 2018, cyber security attacks against Australian businesses have increased more than 700 per cent, costing the nation almost $8 billion. And as hackers, organised crime groups and “bad actors” increase in numbers and strength by the day, the need for binding security legislation across the board becomes that much more glaring.

Until Dutton and co. put Australian citizens before corporate interests, the only option is for the everyday consumer to seek out alternatives that put security and privacy back in their hands – or avoid IoT devices altogether.

The Internet of Things and privacy

Considering governmental endeavours such as this code will do very little to incentivise companies to take our right to privacy seriously, it’s important that we’re at least made aware of what we’re getting ourselves into when dabbling in the Internet of Things.

Home speakers such as Google Home and Amazon Alexa are perhaps the most worrying of all devices. You’ve no doubt noticed that after you conduct a Google search on the web (or even discuss a specific topic through Gmail), you’ll be fed targeted advertisements that reference your behaviours. It’s not uncommon to send an email that mentions flowers (and not even the purchasing of them) and then suddenly be bombarded with advertisements for online florists.

Google and Amazon speakers take this calculated spying one step further, listening in on your conversations when in the vicinity of the device, even when not actively using it. Say you mention to your partner that you’ve always dreamed of renting a house in Tuscany, Italy for a month in the summer. It’s very likely that if you then went to browse the web, advertisements for Tuscan apartment rentals would pop up all over the place. If you happen to own such a device, we recommend conducting an experiment of your own – discuss a specific topic and then browse the web and marvel at how well Big Brother listens.

In fact, these devices are so vulnerable that hackers can shine lasers at them and retrieve valuable information including credit card details. If you’re not going to toss your home speaker in the garbage, at least keep it away from the window.

Smart TVs, streaming boxes and household appliances contain similar weak spots. Ideally, as time goes on, privacy-first alternatives will enter the market at affordable prices. Until then, if you’re adamant that you want to keep your shiny, web-connected item, look into installing a good firewall and intrusion detection system on your home router.

Yes, the “smart home” is making the home smarter… smarter at finding new ways of minimising our security and leaving us open to outside reach. Until encryption services catch up, it might be wise to use your fridge to store perishables, rather than browse Instagram. Food for thought.


Posted in: Security