IoT Has Arrived
With the holiday season in full swing, many of us have Internet of Things (IoT) devices on our wish lists or the wish lists of friends and family. These are home automation technologies like lights, thermostats, doorbells, smart TVs, and refrigerators as well as more personal devices like smartwatches, fitness trackers, baby monitors, and connected medical devices. By now you have probably heard some of the concerns being brought up by the cybersecurity community around the security and privacy issues that come along with this exciting new technology, but have you done anything about it? Between malware taking over 500K routers across the world and strangers peering into video baby monitors the threat is real. IoT devices are generally rushed to market with a lack of focus on security because frankly, the general public is unaware of the issues or unwilling to use their dollar votes to improve the security of these devices.
What Can You Do
So, being the family tech support guru that you are (making this assumption since you’re reading the TechGuard blog of course) how can you help secure yourself and your friends/family as you unwrap and plug in these devices? Well the FBI has recently issued a press release with some tips on building a digital defense to help secure IoT devices. Their recommendations are below:
- Change the device’s factory settings from the default password. A simple Internet search should tell you how—and if you can’t find the information, consider moving on to another product.
- Passwords should be as long as possible and unique for IoT devices.
- Many connected devices are supported by mobile apps on your phone. These apps could be running in the background and using default permissions that you never realized you approved. Know what kind of personal information those apps are collecting and say “no” to privilege requests that don’t make sense.
- Secure your network. Your fridge and your laptop should not be on the same network. Keep your most private, sensitive data on a separate system from your other IoT devices.
- Make sure all your devices are updated regularly. If automatic updates are available for software, hardware, and operating systems, turn them on.
The most impactful suggestion here, in my opinion, is to change the default password. A lot of the headlines surrounding scary IoT hackers really come down to someone that created an automated scanner that looks for a particular IoT device or devices and just tries signing in with the default password. This is such an easy thing to update on most devices that there is really no excuse for not following this advice.
The next most important thing on this list is updating the devices regularly. Many people don’t see the devices on their networks as systems that require maintenance. Just like your car needs regular oil changes and the filter in your air conditioner needs to be replaced, these IoT devices need to get on your maintenance schedule. If there is an automated update option, just enable it. Otherwise, make a reoccurring calendar reminder to yourself to go in and run the update features at least monthly.
Lastly the separate network issue. Unfortunately for most home users, this is going to be beyond the scope of their capabilities and the IoT manufacturers will certainly not help home users implement this. That said, it is a worthwhile endeavor and can be achieved in several ways. I think the simplest way to achieve this is to enable the guest Wi-Fi on your router and always join IoT devices to this segregated network. This will grant the IoT devices the internet access they need, but not access to the other devices within your network. Regrettably, this will not work for every IoT device as the device may require to be on the same network depending on its function, however, many devices will work just fine on this isolated network.
The Future of IoT Security
I wish I could say the security of IoT has improved drastically since it went mainstream, however that’s really not the case. I do believe that overall awareness of these issues has increased, and some companies have recognized the need to incorporate better security into their products, but overall the risk level is still very high. However, as more and more people begin to incorporate these devices into their home networks the impact of vulnerabilities goes up as well as the incentive for attackers to discover those vulnerabilities. Unlike most government and enterprise networks, the security of home networks is a pretty low bar. I am happy to report that recently, legislation was introduced in the Senate and the House to create some standards around the cybersecurity of IoT devices. Even though these particular pieces of legislation pertain specifically to devices sold to government agencies, it does have the potential to least establish a standard and since many of the vendors on the government side also sell consumer goods, we may just see improvements across the board by default. Whatever the future holds for IoT Security following good security hygiene such as the tips provided by the FBI can go far in protecting your security and privacy.
Written by Zach Turpen
Zach Turpen is a Cybersecurity Consultant at TechGuard Security where he conducts penetration tests, vulnerability assessments, social engineering exercises and develops detailed incident response procedures. With experience spanning over 6 years in a Fortune 100 environment he is also CISSP, CEH, GSEC, Security+, Splunk, Rapid 7, ITIL and VMware certified. Zach graduated Summa Cum Laude from McKendree University with a bachelor’s degree in Computer Information Systems. He has worked on the front line of security as an Incident Responder, as a Lead Security Engineer implementing multi-million-dollar projects (SIEM, NGAV, Web Proxies, NGFW) and as a Security Architect migrating business applications to the cloud. In his spare time Zach enjoys spending time with his wife and two kids, gardening and kayak fishing.