Let’s break this research out – Data from the IoT Inspector, which is an open-source project to collect data on those devices, shows some scary insights — Smart home devices from major manufacturers, including Amazon and Samsung, appear to be using old, vulnerable software to handle the encryption of data from their devices,
Researchers looked at device traffic to understand which versions of OpenSSL smart home products might use. The academics looked to understand what versions they believed to be running through fingerprinting. The result is 32 Amazon devices, including Echos, 18 Samsung devices, and a smaller array of other products that appear to use outdated versions of OpenSSL.
Why do we care?
I was struck by how futile the idea of “manage everything” looks in a modern world. How can someone manage everything… when it’s not even possible to ensure they’re all modern? Take a device like an Echo – as an example, not to beat up on them – and note how the device is essentially self-managed, yet also may be entirely out of date.
I’ve not convinced a Software Bill of Materials entirely solves the problem – if you can’t simply trust the device, how do you trust the bill of materials either? Which clearly needs to be zero trust… one can’t trust everything. How many organizations are achieving this?