Consumer group Which? has found that Amazon is promoting webcams, baby monitors and home surveillance cameras with gaping security flaws which could be used to spy on their customers.
Researchers tested six wireless cameras that had received the coveted Amazon’s Choice label, driving them to the top of the company’s search results, but found serious loopholes including weak passwords and unencrypted data.
The Guru reached out to cybersecurity experts to get their view on the news.
Jonathan Knudsen, senior security strategist at Synopsys:
“Unfortunately, everyone in the ecosystem assumes that security is an upstream responsibility. Parents who are buying a baby monitor assume that Amazon would only recommend secure products. Amazon assumes that vendors are creating secure products. The vendors themselves use a variety of third-party software components that they assume are secure.
“In the pell-mell rush to get products to market, security is often neglected or ignored entirely. Vendors can improve the security and quality of their products by adopting a secure development life cycle, in which security is evaluated and risk is minimized throughout the phases of product development. Amazon can perform its own security evaluations on products and include the results in its criteria for recommendations.
“The processes and tools to improve security are already available; what is needed now is more awareness, and a culture in which security is a product differentiator.”
Paul McEvatt, Senior Cyber Threat Intelligence Manager at Fujitsu:
“As IoT becomes increasingly prevalent in the home, ensuring the security of devices that are a gateway into the privacy of people’s homes must be an absolute priority. The lack of security controls dampens consumer trust, and with 39 percent of UK citizens saying they have less trust in organisations now than they did five years ago, companies cannot afford to implement limited security controls. More must be done to understand the overall impact of releasing IoT products to market with security vulnerabilities. It should not be possible for criminals to hack cameras of individuals in their homes shows, particularly as certain techniques are taking advantage of hardcoded passwords.
“This reinforces the importance of having a ‘security and privacy by design’ approach and a kite mark standard approach to manufacturers of IoT devices. This would allow consumers to evaluate which products have passed security checks before they purchase them. This will provide a level of reassurance for consumers that their privacy and safety are safe in this connected world.”
Wai Man Yau, Vice President and General Manager International of software security specialists Sonatype:
“The revelation that more than 50,000 internet-connected cameras sold by Amazon and other retailers could have critical security flaws will send a shiver down the spine of consumers, but this is only the tip of the iceberg.
“Every day thousands of vulnerable software components are built into a wide range of devices, and this isn’t limited to unknown brands lurking on Amazon; last year alone the average UK enterprise downloaded 21,000 components with a known security flaw, while faulty components are being used by some 57% of the Global Fortune 100. Which? rightly advises people to buy from known brands with a reputable website and customer support service. However, this will only protect them from some security risks, and overlooks the enormous threat posed by vulnerable software.
“To truly protect consumers, security needs to be designed into connected devices from the very beginning. The tools are available to enable manufacturers to build security into their applications right from the start, meaning failure to do so should amount to gross negligence. No other manufacturing industry is permitted to ship known vulnerable or defective parts in their products, so why should the software components in connected devices be any different? Retailers too must be more stringent about the products they stock, and take responsibility for protecting their user base. Manufacturers, retailers, governments and consumers all need to be educated about the risks, and work together to secure our increasingly connected world.”
