CloudPets pulled from Amazon and eBay - comment from Webroot
Following today’s news that CloudPets are being pulled from Amazon and eBay due to a cyberrisk, I wanted to share the below comment from David Kennerley, Director of Threat Research at Webroot.
It’s great to see retailers take a stand against poorly designed and configured IoT devices. No matter how innocuous a product may be, if it has ‘smart’ functionality, it becomes a risk that needs to be respected. The fact that in this case the item was a vulnerable child’s toy, brings the importance of this action into sharp focus.
IoT devices have been rapidly embraced by the consumer market and enterprises alike. Having an array of connected devices by their very nature increases the potential attack surface area of the network, that when compromised could grant an attacker access sensitive and highly valuable data. This is the same regardless of whether the device is in a large enterprise or your living room.
Manufacturers of these devices have a responsibility to businesses and customers to ensure that security is built in during the development phase, with appropriate controls in place regarding the processing, storing and transit of end user data, whether remotely or locally. Mechanisms should be implemented that easily allow updates to be applied, while ensuring devices are easy to security harden. For example, enforcing the mandatory changing of default passwords.
End users need to do their research, understanding the security risks associated with a particular IoT product, where possible. Once in place, the maintenance of the device must be prioritised to ensure ongoing resilience. IoT isn’t something you can setup once and forget.