Sun, Feb 5, 2017

Smart Doesn’t Mean Secure

Imagine this. You are taking a quick nap after work in your self-driving car while it is bringing you home in the shortest time possible given realtime traffic conditions. Your house temperature has been adjusted to a comfortable level before you reach the door, which opens automatically when your security camera recognises your face as you draw near and signals the smart-lock to open.

These are no longer scenes from a forward-looking sci-fi movie. Across the globe, smart systems and smart cities are being promoted as solutions that will improve efficiency, productivity and, ultimately, the ability to transform our day-to-day interactions and experiences.

Multiple smart products are being produced by a spectrum of enterprises from large technology companies to start-ups. Some carry famous brand names, while others are effectively generic products. The global smart home market is forecast to reach approximately US$121 billion by 2022, according to a leading market research firm, MarketandMarkets, while the smart city market is predicted to reach US$757 billion by 2020.

However, for smart technology to realise its market potential, those who design, build and sell these devices — and legal counsel who advise clients in this space — must recognise and address the challenges of protecting the devices (as well as the information they use and need) from cyber attacks. This is particularly important in large-scale deployments of smart systems, such as in smart buildings or smart solutions covering entire cities. For example, according to a Wall Street Journal article, Singapore’s Smart Nation programme, launched in 2014, “is a sweeping effort that will likely touch the lives of every single resident in the country, in ways that aren’t completely clear since many potential applications may not be known until the system is fully implemented”.

"For smart technology to realise its market potential, those who design, build and sell these devices — and legal counsel who advise clients in this space — must recognise and address the challenges of protecting the devices.”

In our experience investigating a wide variety of cyber attacks for clients in diverse industries, we are familiar with many areas where vulnerabilities can arise. For this article, however, we will look at just one: insufficient testing for cyber security-related problems.

Functional Performance and Security Must Go Hand-in-hand
While vendors will commonly test functional performance before releasing smart solutions, many have not been as rigorous in testing for cyber security issues. For example, the massive disruption of the internet on the US East Coast on October 21 and 22 this year was attributed to hackers marshalling everyday devices (such as webcams, DVRs, routers), which had been infected with malware, to attack a major internet infrastructure company.

One specific issue identified by experts was the “widespread use of default passwords” by both manufacturers and consumers that enabled the devices to originally get hacked. This particular attack used, in part, code known as Mirai, which can turn internet-connected devices — like security cameras and digital video recorders — into attack weapons. In some cases, it was as simple as using the default user ID of “admin” and the default password of “password” or empty space.

Therefore, testing of these Internet of Things devices requires knowledge of cyber security that goes beyond the device itself. For example, a smart toaster might be secured with a complex password. However, unless a tester knows to look across multiple devices, he or she might never realise that many if not all the devices share the same password. More importantly, there is no simple way for the consumer to replace the default password with a secure one.

Looking ahead, as technology evolves, it will be a continual challenge to anticipate security needs. However, it is imperative that companies make cyber security-related testing an integral part of project development to ensure solutions are both smart and secure.

This article was first published by Asian-mena Counsel, magazine for the In-House Community (


Forensic Investigations and Intelligence

The Kroll Investigations, Diligence and Compliance team consists of experts in forensic investigations and intelligence, delivering actionable data and insights that help clients worldwide make critical decisions and mitigate risk.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.