The internet of things is gaining a lot of attention these days as this growing network of internet- and Wi-Fi-enabled products are increasingly showing up in homes and bedrooms. This technology lets you do things like print messages on toast, remotely control a pet door with a mobile phone and read today’s weather forecast from a bathroom mirror.
But cybersecurity experts are warning the spread of internet of things devices in consumer products is moving too rapidly as companies scramble to gain a lead in the nascent market for connected home products, leading to an increasing number of software vulnerabilities that pose considerable threats to consumer privacy.
This week, U.K. cybersecurity services provider Pen Test Partners shed light on a particularly prurient internet of things vulnerability in the Svakom Siime Eye, a $250 sex toy equipped with an internet-connected camera that lets users stream a dildo’s eye view of masturbation via the internet to another person’s smartphone.
Because of the way the Siime Eye’s software was designed, anyone within Wi-Fi range could potentially hack his or her way into the system and watch footage right along with the person the feed was intended for. With a little extra work, a hacker could also take control of the firmware and even broadcast the feed to the web for anyone to see.
Cybersecurity researcher Ken Munro at Pen Test Partners, which identified the vulnerability, said security issues with connected devices tend to originate from their accompanying mobile apps. “But in this particular case [Svakom] made a really unusual choice in the way the sex toy was put together with Wi-Fi,” Munro told Salon via Skype. “By default it set itself up as an access point not a wireless client, a bit like your Wi-Fi router at home. This is really unusual for an [internet of things] device and the root cause of the problem.”
Svakom didn’t respond to Salon’s request for comment.
The news of the sex toy hack came just weeks after vulnerabilities were found in connected CloudPets stuffed toys, which led to the leak of emails and passwords of a half million CloudPets customers. In addition German authorities warned against the use of the connected voice-controlled Cayla doll made by Genesis Toys containing a software flaw that could allow hackers to eavesdrop on conversations, according to news reports. Last month Standard Innovation, the Canadian maker of an internet-connected sex toy called We-Vibe agreed to spend $5 million to settle a U.S. civil class action lawsuit for collecting data from customers, such as the time, date and duration of use, level of vibration intensity and device temperature.
Problems like these will only become more frequent in the years to come as the internet of things is extended to reach everyday products. Market forecaster IHS Markit has estimated that by 2020 there will be about 31 billion connected devices, a rise from about 15 billion in 2015.
“We simply didn’t have anywhere near the breadth of connected devices even three years ago and these days we have internet in places we never would have expected,” Troy Hunt, a Sydney-based software security expert who has worked for years to expose vulnerabilities in connected devices, told Salon in an email. “People aren’t thinking about hackers while they’re sitting there watching their smart TV, playing with their kids using a connected toy or having an intimate moment in the bedroom with an adult product.”
One of the main reasons why the number of hackable devices is expected to grow is due to how some manufacturers are handling the transition from making products that have lacked connectivity to creating ones that can be hooked up to web servers and mobile devices.
Munro cited a hypothetical example of how these vulnerabilities become introduced into the market. Say a company that makes something simple like a toaster wants to quickly enter the internet of things market in order to gain the advantage of being one of the first. Lacking its own experience with internet connectivity, a company like this might seek out a third-party developer and a chip supplier and make a purchasing decision mostly based on the cost of the necessary components.
But the company might pay little attention to the potential cybersecurity threats along the way. Instead of thinking holistically about all the components together — the chip, the mobile app, the application program interface, the web server — to plan a security strategy early in the product development cycle, the company might consider the threat only as an afterthought. When problems arise, the company is then caught off guard, unable to respond with a wireless software update to thwart any threats found after the product hit the market. This can lead to product recalls and costly civil litigation. Intensive testing before the rollout of a connected product is vital, too.
“Many of the risks we’ve seen even just this year could so easily have been either prevented in the first place or discovered by capable testers before being shipped to consumers,” Hunt said.
So what can consumers do to guard against these new threats to privacy? Both Munro and Hunt advise considering how much risk you want to take for a gadget with a feature you might not need.
“I love the internet of things. There are amazing opportunities, such as helping people in assisted living conditions, the disabled and the elderly and with medical devices,” Munro said. “But I’d say to consumers, Do you actually need that thing? Are you buying it because it’s a gadget or are you buying it because you need it? Be a little wary and exercise consumer caution.”
It’s conceivable that someday a certification process might help consumers know if a product has met cybersecurity standards. But until such a process is in place, the rule of thumb for buying connected gadgets is “buyer, beware.”