Check your TV for a seal of cybersecurity approval
Experts say people need to be looking for signs that their “smart” things are actually safe.
You turn on your smart TV, and there is a special message for you on the screen. Pay ransom, or you don’t get to watch your favorite show. Hackers are holding your entertainment center hostage.
Cybersecurity experts say this is not a big attack now, but the day may come when malicious hackers use ransomware or other malware on your television, giving new meaning to the phrase, “Pay TV.”
“You’re not going to throw away your $1000 TV that you just bought,” said Chris Wysopal with cybersecurity company Veracode. “You’re probably going to pay the $100 or whatever.”
Other attacks on your TV may be less obvious. The malicious hackers could get into your Wi-Fi system through your TV and wreak havoc around your connected home. They may use your TV as a zombie to attack other homes around the world, or turn it into a bitcoin mining operation—on your dime.
There is a solution, according to Wysopal, who spoke at the Collision tech conference in New Orleans on Wednesday.
He suggested a cyber “seal of approval,” something to show that someone has actually tested your smart device for cyber vulnerabilities.
“Before you plug it into the Internet, you can say, ‘Hey, this passed this set of tests,”’ he told the audience.
Like a safety seal, a cyber “UL” could work, said Wysopal in an interview with Archer News.
Underwriters Laboratories tests products for safety and allows companies to put their “UL” seal on certified products.
UL did its very first test of insulation material back in 1894, and now tests products from around the world.
“The original UL worked because in order to get fire insurance, you had to have certification that had the UL seal on it,” said Wysopal. “If you’re to get fire insurance, you have to have a fire door between the boiler room and rest of the building, and it has to be UL certified.”
Now, he said, you have to go out of your way to find a product that isn’t UL certified. But the same does not hold true for cybersecurity, and that can leave parts of your smart home and your connected things vulnerable.
Not a selling point?
Both customers and companies may ignore the risks, said Mikko Hypponen with cybersecurity company F-Secure.
“Vendors ignore cybersecurity because it’s not a selling point,” Hypponen said. “When you go and buy a washing machine, cybersecurity doesn’t even enter the picture. The most important selling point is the price, then the color, then the size—those are the things that sell your devices and appliances.”
But he said, the makers of that washing machine may not be protecting you from cyber attack.
“These legacy vendors have tons of experience and know-how in safety. But they have no experience in security,” he explained. “What I mean by that is that your new cyber washing machine will most likely not electrocute you. It will most likely not catch fire. But it will leak your Wi-Fi password.”
Some people may not realize the risks, and may even say they don’t care if someone hacks their washing machine, he said.
But malicious hackers are not trying to shrink your cotton shirts with an extra rinse in hot water.
“The real problem is that they are vectors. They are ways into your network,” Hypponen said.
Remember the Target data breach? Target was hacked through the heating and ventilation system, he said. “That’s what it means when everything is connected.”
Life & death
You could choose to pay ransom—or not—if your favorite TV shows were at stake. But what if your medications were being held hostage? Cybersecurity experts warn that connected medical devices are also at risk.
“The lack of even the most basic cybersecurity measures can result in life-threatening consequences for patients or crippling critical infrastructure effects for healthcare providers,” said UL’s Anura Fernando in a post online.
He said UL worked with medical organizations to establish cybersecurity standards for devices in the medical system.
In addition, UL announced this month that it has launched a new cybersecurity assurance program to help companies and customers in other areas outside of the medical field.
Almost 30 years after it tested its first personal computer, UL now says it will identify security risks in a long list of products, including industrial control systems, cars, HVAC, lighting, appliances, alarm systems, smart meters, network equipment, and consumer electronics.
There has been some criticism of UL’s program, and other groups are also working to come up with some sort of cybersecurity testing system, like a five-star rating system, or a “nutrition label” for Internet of Things devices.
Short shelf life
This kind of security approval may also need maintenance as your device ages, Wysopal said.
“There are 200 different open-source [software with code made open to the public] components in a Samsung smart TV,” he told Archer News. “The problem is with open source components over time. The term we use is—they ‘rot’ over time.”
The components may become vulnerable as the TV sits in your living room, and the makers would have to update it to keep it safe.
“Does it get updated over time? I think part of the certification would be that this device has an ‘end of life,’” said Wysopal. “Then it would give a warning that it won’t be updated anymore.”
Another issue, he added—the updates themselves. “Every time you update the device, does it need to get re-certified? Maybe something broke the certification.”
Looking for seals
You won’t see a lot of these cybersecurity seals, at least not yet. Manufacturers may have little incentive to pay for cybersecurity testing if you don’t make it part of your requirement list.
“The consumer has to care,” said Wysopal. “Like banks care about the software they buy. Hospitals are starting to care because of so many big health care breaches. But the consumer has to care.”
For some, the desire to check for a “cyber UL” may not come until it’s too late.
“Unfortunately, you start to care when it happens to you or someone close to you,” he said. “People didn’t put antivirus software on their computers until they got a virus.”