Breaking News: 198 Million Voter Records Exposed by RNC Data Firms — Read More

CES 2017 Highlights: Which Vendors Are Putting Consumers at Risk?

Last modified on January 12, 2017 By UpGuard

Filed under: security, CSTAR, cyber risk

Every year, leading tech/gadget vendors descend upon the world's largest consumer electronics show in an exuberant display of product design wizardry, cutting edge innovation, and of course—a requisite dose of ridiculousness. This year's focus was on connected cars and VR, with IoT device and wearable tech manufacturers out in full force, per the usual. Let's see how good the best of CES 2017 are at protecting customers against cyber attacks.

You may recall the plight of Samsung's tweeting refrigerator, introduced at CES 2011 and later found to be highly exploitable due to a gaping SSL error. Follies of innovation aside, the moral of the story is that novelty will eventually fail to win fans if basic security isn't accounted for. 

Free DevOps and Security eBooks

The jury is out as to whether Samsung's app-integrated and wifi/Bluetooth enabled Family Hub 2.0 smart refrigerator—featured again this year at CES 2017—harbors any exploitable vulnerabilities. The model is now capable of ordering groceries directly from its touchscreen, so let's hope Samsung has the encyption piece down pat this time.

CES 2017 Vendor Roundup: Smart Fridges and Home Robots 

Samsung wasn't the only company flaunting its line of smart refrigerators this year. LG wowed the attendees with the introduction of its Smart InstaView refrigerator, powered by Amazon Alexa.

samsung.jpgSource: lg.com.

That's right, you can talk to this refrigerator and tell it to do things: play a song or purchase more eggs. Consumers can order these direct from LG's online store.

Google Glass may be a thing of the past, but this company is picking up where Sergei left off: Vuzix's smart sunglasses can be paired with an Android device to watch videos, get driving directions, even snap pictures surreptitiously—the screen is in the right lens.

Vuzix_Blade_3000_Smart_Glasses.pngSource: vuzix.com.

The Vuzix glasses will be available in the second half of 2017 from select retailers and the manufacturer's website.

How do LG and Vuzix, as well as 3 other CES 2017 favorites—Lego, Mayfield Robotics, and Hubble—perform when it comes to measures of website perimeter security and cyber resilience? Let's find out.

1. LG - 429 out of 950

CSTAR - LG

If the resilience of LG's public website is a reflection of its products' security postures, consumers are in trouble. The online store suffers from a myriad of security flaws, including lack of sitewide SSL, missing HttpOnly/secure cookies, disabled SPF, lack of DMARC/DNSSEC, and more.

2. Vuzix - 703 out of 950  

Screen Shot 2017-01-12 at 12.22.20 AM.png

Smart eyewear maker Vuzix's website scored an average 703 CSTAR score, with various flaws such as server information leakage, lack of DMARC/DNSSEC, and disabled HTTP strict transport security weaking its resilience posture.

3. Lego - 783 out of 950 
Screen Shot 2017-01-12 at 12.56.03 AM.png

Lego was a favorite at CES 2017 for its newly-introduced Lego Boost kit: smart lego sets that teach kids how to code through the building of five different smart toy models.

Popular "smart" toys have been at the center of a security debate since the VTech data breach roughly a year ago—fortunately, it seems that Lego has a good resilience posture, despite flaws detected in its website perimeter security such as server informaiton leakage and disabled DMARC/DNSSEC.

4. Mayfield Robotics - 428 out of 950

Screen Shot 2017-01-12 at 4.51.41 AM.png

Mayfield Robotic's Kuri was a crowd hit this year at CES2017—the two foot-tall home robot sports advanced features such as facial recognition powered by an HD-camera (read: Kuri can recognize your individual family members) and IFTTT support for controlling other smart home products and devices. The company just started accepting pre-orders online, but has yet to address critical security gaps in its website: lack of sitewide SSL, server information leakage, and disabled SPF/DMARC/DNSSEC, among others.

5. Hubble - 665 out of 950

Screen Shot 2017-01-12 at 5.06.25 AM.png

Like LG's new smart fridge, Hubble has integrated Amazon Alexa with its smart device offering: Hugo, a robotic virtual assistant with a connected camera that can track movement and recognize people's faces and expressions/moods. The Amazon integration enables it to respond to questions with Alexa, as well as access over 500 apps and functions, from controlling home devices to ordering groceries. Despite its overall good security, Hubble's website suffers from several flaws—server information leakage, lack of secure cookies, disabled DMARC/DNSSEC, open administration ports, to name a few.

Conclusion

As it turns out, the most popular names at CES 2017 scored a poor-to-average CSTAR rating, with LG and Mayfield Robotics failing the most basic website perimeter security checks such as the existence of sitewide SSL. The popularity of offerings such as the Lego Boost kit will result in more venerable and trusted children's brands getting in on the smart toy market—with children's data privacy on the line, let's hope that security is a top priority for them.

Wondering if purchasing that new connected gadget will put your personal data in jeopardy? Try out UpGuard's free CSTAR risk grader web application and chrome extension for validating the security posture of your favorite consumer gadget vendor today.

See What UpGuard Can Do For You

More Articles

How CSTAR Works

All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Article >

What's In the Website Risk Grader?

The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Article >

Understanding Risk in the 21st Century

And as we enter 2016, the risk of data breaches in particular threatens to hamper business innovation.
Read Article >

The World's First Cyber Resilience Platform

Whether your infrastructure is traditional, virtualized, or totally in the cloud, UpGuard provides the crucial visibility and validation necessary to ensure that IT environments are secured and optimized for consistent, quality software and services delivery.

See how it works at UpGuard.com