Recent WikiLeak documents allege that the CIA developed, or sought to develop, or even «borrowed», cyberattack technology that could target a wide range of IoT devices, including smart TVs, connected cars, and mobile phones. In the case of smart TVs and mobile phones, the attacks allowed these devices to be used to eavesdrop on either voice communication, data communication or both.
The concepts of using connected devices for gathering intelligence or perpetrating malicious acts is certainly not new, but the scope of activities reported in the WikiLeak documents is startling to some. However, as someone working on security for IoT devices I did not find this particularly surprising. I certainly do not have any inside information on the activities of the CIA or other government agencies, but have seen companies make the same mistakes over and over again in building their IoT devices.
All too often, companies building connected devices either ignore security completely, try to bolt it on late in the development cycle, or treat it as a «nice to have» feature. The companies viewing security as a critical feature and taking a comprehensive approach to securing their devices and networks are in the minority.
It is not surprising an organization with the resources of the CIA could develop effective cyberattacks against a wide range of IoT devices. All too often devices contain easily exploited vulnerabilities that do not require sophisticated cyber-attacks. In many cases the devices have back-doors for remote access by service technicians, weak authentication methods, or default passwords that are never changed. It does not take a nation-state attack to exploit these vulnerabilities.
Even devices including basic cyber-security defenses often fall short. May provide a They level of protection by encrypting network traffic or harden the device using code signing for trusted boot or provide other defenses against cyber-attacks as explained in this teaser video. In many cases however ,, these measures do not go far enough. Each device is different, but many fail to provide security on all the device's interfaces, leaving something open to attack. For example, a number of IoT devices have implemented SSH to provide secure communication, but have used an identical shared key for an entire product line. If that shared key is then compromised, all devices using that key are vulnerable.