IoT security has moved backwards in the past two years, according to a report from Virginia-based cyber-security company Dark Cubed.

The report reveals significant privacy and security flaws in consumer IoT devices and a lack of attention to the security of these devices by manufacturers and major retailers.

It concludes that IoT security quality has largely regressed in the two years since Dark Cubed released its inaugural report on the subject.

“Every day, millions of Americans use myriad IoT devices connected to their home networks, purchased from major retailers,” said Vince Crisler, Dark Cubed CEO and principal author of the report. “Little do they know these devices have little or no security controls resulting in significant privacy and security concerns. The largely unfettered exposure these ubiquitous devices have to bad actors and potentially hostile nation states should be alarming to their manufacturers, policy makers and device users.”

The report’s conclusions include:

• Every device evaluated had strong supply chain and business connections to China.
• Most devices had at least one network connection to a server based in China.
• Many devices failed basic security checks and had significant, basic vulnerabilities.
• Most devices lack even the security required to prevent complete visibility into consumers’ private images to anyone in the network path between their house and the IoT provider.
• Most of the Android applications are woefully insecure and were observed sending data to servers in China; these Android applications are installed on phones with access to every detail of the owners’ private lives.

During the course of the study, ten home automation devices in the $20 to $100 price range were purchased and analysed using open-source tools and the cyber-security experience of the Dark Cubed team. The companies branding the devices as well as their technology and data supply chains were also assessed, highlighting not only the complex web of organisations and technologies behind seemingly basic household devices, but also how many of those relationships lead US citizens’ personal data back to storage on Chinese infrastructure.

Additionally, basic attack vectors were launched against the devices to identify inherent vulnerabilities to relatively unsophisticated cyber-attack techniques and, disconcertingly, nearly all the devices tested failed to include fundamental security mechanisms that would render them invulnerable to such primitive attack techniques.

“US companies and government agencies spend countless millions protecting against Chinese attacks, but the threat of compromise to the millions of devices in our own homes and the personal and intimate data collected by those devices has been largely ignored,” said Crisler. “We hope this report will help shine a light on what is the trojan horse many of us have unwillingly welcomed into our homes.”

Dark Cubed brings information security to the 99% of companies without the resources to implement security today. The company’s SaaS offering augments existing firewalls to provide enterprise-grade security capabilities. Founded by a former White House CISO, Dark Cubed is headquartered in Alexandria, Virginia.