If you're a hacker, after the SolarWinds attacks of 2020, it's hard to think how you could resolve to do much better in 2021.

But the rest of us, though, making our New Year's resolutions, could stand to up our cybersecurity game a bit.

The Internet of Things (IoT), in particular, is "the new technological Wild West", says Tanner Johnson, a senior cybersecurity analyst at Omdia.

Figure 1: Take me to your smart fridge: Is your cybersecurity setup up to snuff? Someone could be watching you...
(Source: Marcelo Braga on Flickr CC2.0)

And diversity is its strength, and its Achilles' heel.

The costs of incorporating connectivity into previously unsmart devices has diminished greatly in recent years.

But as the variety of IoT devices evolves and spreads, the challenge of managing them and the data they produce becomes more complex.

The IoT has a core, with a relatively small number of mature components from a shortlist of well-known vendors.

And meanwhile its exciting vast periphery lacks things like traditional operating systems, device agents and onboard user interfaces to interact with.

With the global number of installed IoT devices reaching 27.5 billion at the end of 2020, and doubling to 45.9 billion by 2025, this is a big problem indeed.

Can I interest you in a firewall for your fridge?

Case in point.

In 2017, CloudPets were all the craze.

The teddy bears and other soft toys, made by a California company called Spiral Toys, were fitted with a microphone and speaker.

Children could record their messages and play back voice recordings from friends and family.

These were uploaded to the Internet by a Bluetooth-connected app.

What could possibly go wrong?

Except the online database of 800,000 user credentials and millions of voice recordings wasn't protected.

Hackers harvested the recordings and credentials for ransom.

Security researchers quickly found you could trigger the microphone and use the toys to spy on their surroundings.

But clearly everyone learned the lesson and moved on.

Except in 2018, an Bluetooth-enabled adult toy maker called (yes) Vibratissimo turned out to be using a complete lack of encryption.

A dildo database containing all the customer data, including users' names, chat histories, plaintext passwords and home addresses, was basically readable for everyone on the Internet.

Even mainstream IoT devices haven't been immune.

In 2019, Amazon's doorbell camera system Ring turned out to create an insecure access point on initial configuration.

If you were malicious, you could intercept the Wi-Fi passwords of anyone setting up the device.

Amazon fixed the problem in an automatic update after security researchers pointed out the flaw.

And in 2020, the Philips Hue Lightbulb was vulnerable to having hackers take control and install malicious firmware.

They could then mess with the light, and when you reset the bulb to fix it, the hackers could deploy the malicious firmware to spread ransomware or spyware throughout your business or home network to other devices using the ZigBee protocol.

Signify issued a patch in an automatic update after security researchers CheckPoint explained the vulnerability.

2021 a year for (only intermittently) smart devices

It's not a problem that's going away in 2021.

The huge load coronavirus has put on health services will keep driving them virtual, with patient-monitoring IoT equipment hoovering highly sensitive data up to the cloud.

Big tech companies have been engaged in a spurt of M&A, snapping up IoT security startups.

Microsoft bought Massachusetts-based IoT security company CyberX in June 2020, to up the security game of its Azure IoT business. It also forged a partnership with Honeywell's Forge analytics program with an eye to industrial markets.

Want to know more about AI and automation? Check out our dedicated AI and automation channel here on Light Reading.

Palo Alto Networks launched an IoT Security Solution, also in June, after buying IoT security vendor Zingbox the September before.

Another good development is security vendors starting to provide their solutions on the cloud, in the form of software-as-a-service.

This lets security companies consolidate their offerings, and harvest larger-scale insights and analysis from clients' IoT footprints.

And companies' perimeters are dissolving, with more people working from home. On the one hand, this means your employers can't rely on information security approaches in their physical offices. While this means your home networks can introduce vulnerabilities to your employers' assets, it also means you can find better security solutions than your bosses offer.

And finally, lest you think we're all in this together when it comes to the coronavirus, be warned: As many as one in ten domains registered with variations of names like "coronavirus" and "COVID" are malicious in nature.

So your IoT needs a mask too.

Related posts:

— Pádraig Belton, contributing editor special to Light Reading