Oulu Researchers: Consumers at Serious Risk of Hacking
People who use consumer electronics are at serious risk of being hacked, according to a series of security tests conducted by Oulu-based company Codenomicon.
The company – which last week published a white paper on the problem – found faults in many everyday electronic devices, which use the internet, which could easily lead to people’s personal data being compromised. Entitled ‘Network Attached Storage: Be Careful What You Share,’ the report may read to the ordinary computer user like a dictionary of technical jargon. But Codenomicon Chief Technology Officer (CTO) Ari Takanen reduced it to everyday language for 65DN.
‘The key thing in our research was to highlight the overall security and quality of consumer electronics,’ he explained. ‘We used our kind of State-of-the-Art testing, which companies like Microsoft use when they make products for security-conscious clients, such as telecom companies.’ This process, of attempting to identify bugs, is known as ‘Fuzzing.’
For the ordinary electronics user, Codenomicon’s findings might be rather distressing.
‘We found that consumer product security development practices are much more relaxed,’ summarised Takanen.
According to the CTO, when software engineers produce new programmes they inevitably make some mistakes in the programming. These mistakes lead to bugs in the programme which in turn can lead to some problems with how the device functions. These gremlins, a product of unavoidable human error, are something which any computer user simply has to get used it.
However, some of these ‘bugs’ are more significant than others, and especially important are bugs which can allow hackers to get round the system’s security. These kinds of programming mistakes can allow hackers to take control of the device. Accordingly, devices to be sold to security-conscious corporate clients are thoroughly checked for bugs. But this does not appear to be so with consumer products.
‘We took a large number of consumer electronic devices, analysed what they should be doing and tested them on lots of different issues,’ says Takanen. ‘For example, we looked at whether the devices are robust or whether they crash. There were lots of bugs. We compared to devices aimed at enterprises. They did not have these bugs. Security is not taken as seriously with consumer devices.’
Codenomicon’s research found that security bugs in consumer devices can have very serious effects on consumers, most of whom seem blithely unaware of the problem. An example is home network storage devices, which permit you to back-up your files from your home computer and store them online. In many cases, there are bugs in the security meaning that these can be hacked. Other devices allow you to listen to music that you downloaded onto your computer outside of the home. Due to bugs in the security, this also opens up access to hackers.
Takanen points out that this problem will become increasingly acute as more and more products – such as printers and so-called ‘Smart TVs’ – involve some kind of internet connection. More and more data will potentially be open to hackers.
Codenomicon was founded in 2001 by five Oulu University IT researchers who saw a gap in the market for a company specialising in security issues in electronics. Most of the customers, including those for whom this research has been conducted, are ‘enterprise customers in the USA who want high quality products.’
But Takanen sees the results as a ‘wake-up call’ for ordinary electronics consumers in Finland and beyond. His advice, to avoid the security bugs, is quite simple: ‘Don’t buy the cheapest product.’ It will, he says, be of the lowest quality and include the most bugs.
And, he argues, somebody needs to give this ‘wake-up call’ because the computer magazines certainly don’t. They compare new products with regard to numerous aspects of their functioning but they never look at security problems. Takanen adds that, at least while a product is under guarantee, security bugs can be the vendor’s ‘problem’ but they have clear effects on the consumer.
For all these reasons, the company advises people to be very careful about what they share through these devices. Increasingly, there are devices which allow people to control items in their homes from their workplace. But Takanen stresses that ‘it is not necessarily smart to monitor things from outside your home’ because if there are certain bugs in the devices, and they seem to be common, then hackers can compromise them.
Takanen also recommend not having a cheap wireless router. One of the products which the report analysed was the D-Link router. It found various bugs with this router though the report emphasised that, ‘Our testing does not reveal whether the test failures could be exploited to gain control of the device but given the high number of crashes there is certainly a goof chance of finding one.’
And, alarmingly, a simple Google search reveals a YouTube page explaining precisely how to hack into a D-Link wireless access point.