The Cyber Show Explores IoT Security Risks and Penetration Testing in New Episode

This episode of The Cyber Show features Ken Munro from Pen Test Partners, who discusses the security risks of connected devices, often referred to as the Internet of Things (IoT). The conversation explores how these devices, from smart TVs to children’s toys, can become vulnerabilities in homes and businesses due to poor security practices. Munro explains that while many manufacturers prioritize speed and functionality over security, the consequences can range from privacy invasions to life-threatening risks, particularly in medical or industrial settings. One of the central topics is the nature of penetration testing (pen testing), where security experts simulate cyberattacks to identify weaknesses in systems. Munro describes how pen testers look for misconfigurations, open ports, or flawed encryption in devices—often finding that developers 'roll their own' security solutions instead of using proven standards. This leads to vulnerabilities, such as unencrypted data transmissions or undocumented backdoors that hackers can exploit. For example, a smart TV was found sending voice recordings to a third-party server in plain text, exposing private conversations. The discussion highlights how even well-intentioned features, like remote support for industrial devices, can become security risks if not properly documented or secured. The episode also delves into the motivations behind insecure IoT devices. Munro argues that most vulnerabilities stem from oversight rather than malicious intent—manufacturers rush products to market without adequate security testing or funding for long-term updates. However, he acknowledges that some companies collect excessive data under vague terms of service, often selling it to brokers. This raises ethical concerns, particularly when sensitive data, such as usage patterns from smart sex toys, could endanger users in regions where certain behaviors are criminalized. The conversation underscores the need for better regulations, like the UK’s Product Security and Telecommunications Infrastructure (PSTI) Bill, which mandates security standards and support lifespans for devices. Yet, enforcement remains a challenge, leaving consumers to navigate a market where security is rarely transparent. Another key focus is the unintended consequences of IoT in sensitive environments, such as healthcare. Munro shares a chilling example of a flawed insulin pump system where hackers could have altered blood sugar readings, leading to fatal doses of insulin. While IoT can enable life-saving innovations like continuous glucose monitoring, the lack of rigorous security testing in medical devices poses severe risks. The episode also touches on 'right to repair' debates, where users are often denied control over their devices due to proprietary software or legal restrictions. Munro advocates for 'everything off by default' policies, where users explicitly enable features like microphones or cameras, and for manufacturers to disclose how long they will support a product’s security updates. Without these measures, devices become liabilities once support ends, leaving users vulnerable to exploits. Finally, the discussion addresses the broader societal impact of IoT, including disinformation and the erosion of privacy. Munro points out how seemingly benign devices, like smart meters, can reveal intimate details about a household’s habits, while CCTV cameras with undocumented audio recording capabilities can turn into surveillance tools. The episode concludes with practical advice for consumers, retailers, and governments. Consumers are urged to research products for past vulnerabilities before purchasing, while retailers should vet suppliers for long-term support commitments. Governments are encouraged to enforce existing regulations and resist industry lobbying that prioritizes speed over security. The overarching message is that IoT security requires a cultural shift—one where manufacturers, regulators, and users all take responsibility for safeguarding data and privacy in an increasingly connected world.