Every year, leading tech/gadget vendors descend upon the world's largest consumer electronics show in an exuberant display of product design wizardry, cutting edge innovation, and of course—a requisite dose of ridiculousness. This year's focus was on connected cars and VR, with IoT device and wearable tech manufacturers out in full force, per the usual. Let's see how good the best of CES 2017 are at protecting customers against cyber attacks.
You may recall the plight of Samsung's tweeting refrigerator, introduced at CES 2011 and later found to be highly exploitable due to a gaping SSL error. Follies of innovation aside, the moral of the story is that novelty will eventually fail to win fans if basic security isn't accounted for.
The jury is out as to whether Samsung's app-integrated and wifi/Bluetooth enabled Family Hub 2.0 smart refrigerator—featured again this year at CES 2017—harbors any exploitable vulnerabilities. The model is now capable of ordering groceries directly from its touchscreen, so let's hope Samsung has the encyption piece down pat this time.
CES 2017 Vendor Roundup: Smart Fridges and Home Robots
Samsung wasn't the only company flaunting its line of smart refrigerators this year. LG wowed the attendees with the introduction of its Smart InstaView refrigerator, powered by Amazon Alexa.
That's right, you can talk to this refrigerator and tell it to do things: play a song or purchase more eggs. Consumers can order these direct from LG's online store.
Google Glass may be a thing of the past, but this company is picking up where Sergei left off: Vuzix's smart sunglasses can be paired with an Android device to watch videos, get driving directions, even snap pictures surreptitiously—the screen is in the right lens.
The Vuzix glasses will be available in the second half of 2017 from select retailers and the manufacturer's website.
How do LG and Vuzix, as well as 3 other CES 2017 favorites—Lego, Mayfield Robotics, and Hubble—perform when it comes to measures of website perimeter security and cyber resilience? Let's find out.
If the resilience of LG's public website is a reflection of its products' security postures, consumers are in trouble. The online store suffers from a myriad of security flaws, including lack of sitewide SSL, missing HttpOnly/secure cookies, disabled SPF, lack of DMARC/DNSSEC, and more.
Smart eyewear maker Vuzix's website scored an average 703 CSTAR score, with various flaws such as server information leakage, lack of DMARC/DNSSEC, and disabled HTTP strict transport security weaking its resilience posture.
Search for "free vulnerability scanner" and you'll see plenty of options. So why are breaches due to known vulnerabilities still so common?
Lego was a favorite at CES 2017 for its newly-introduced Lego Boost kit: smart lego sets that teach kids how to code through the building of five different smart toy models.
Popular "smart" toys have been at the center of a security debate since the VTech data breach roughly a year ago—fortunately, it seems that Lego has a good resilience posture, despite flaws detected in its website perimeter security such as server informaiton leakage and disabled DMARC/DNSSEC.
Mayfield Robotic's Kuri was a crowd hit this year at CES2017—the two foot-tall home robot sports advanced features such as facial recognition powered by an HD-camera (read: Kuri can recognize your individual family members) and IFTTT support for controlling other smart home products and devices. The company just started accepting pre-orders online, but has yet to address critical security gaps in its website: lack of sitewide SSL, server information leakage, and disabled SPF/DMARC/DNSSEC, among others.
Like LG's new smart fridge, Hubble has integrated Amazon Alexa with its smart device offering: Hugo, a robotic virtual assistant with a connected camera that can track movement and recognize people's faces and expressions/moods. The Amazon integration enables it to respond to questions with Alexa, as well as access over 500 apps and functions, from controlling home devices to ordering groceries. Despite its overall good security, Hubble's website suffers from several flaws—server information leakage, lack of secure cookies, disabled DMARC/DNSSEC, open administration ports, to name a few.
As it turns out, the most popular names at CES 2017 scored a poor-to-average CSTAR rating, with LG and Mayfield Robotics failing the most basic website perimeter security checks such as the existence of sitewide SSL. The popularity of offerings such as the Lego Boost kit will result in more venerable and trusted children's brands getting in on the smart toy market—with children's data privacy on the line, let's hope that security is a top priority for them.
Wondering if purchasing that new connected gadget will put your personal data in jeopardy? Try out UpGuard's free CSTAR risk grader web application and chrome extension for validating the security posture of your favorite consumer gadget vendor today.