At some point, the Internet of Things (IoT) will permeate through all of the devices and appliances we purchase for our home, similar to how 3D TVs were once ubiquitous despite the lack of consumer demand earlier this decade. You might not have a choice other than to purchase a “smart” fridge, an Internet-connected washing machine, or a WiFi enabled air-conditioner to replace your broken appliances.
The commoditization of putting a chip in things has created an explosive growth of smart devices and left us surrounded by a web of insecure things. The security of devices can only be described as idIOTic.
So, what steps can you take to protect yourself as our daily lives get assimilated into the Borg universe?
The first step is to accept that IoT devices are unlikely to receive timely updates and have a multitude of vulnerabilities that are either well known or will be discovered in the near future.
Every IoT device carries an unknown quantity of risk to your network and the Internet at large. The device itself could invade your privacy on behalf of an attacker or it could be used as a redirector or hop point to further compromise your network of personal computers or it could be used as a drone to participate in distributed denial of service (DDoS) attacks.
So how can you protect yourself, once you’ve accepted the insecurities present in IoT?
IoT devices communicate with a controller service, which is typically a web based service managed by the device manufacturer or a local smart hub that relays all of the IoT communication.
In order to mitigate against the risk posed by IoT devices, we can deploy network segmentation to isolate the network activity of the device from the rest of the home network. Most wireless routers are now offering a “Guest Network” option to create an isolated wireless network, which broadcasts itself as a separate Wi-Fi access point. These guest networks allow wireless devices to connect to the Internet like normal but prevents the devices from accessing the rest of the network.
Some implementations of the guest network go as far as to prevent device communication within the local guest network so devices can’t communicate with one another and thus prevent the next IoT worm from spreading from your DVR to your toaster. However, this will impede devices that communicate with a smart hub on your local network.
Smart devices are supposed to improve and enhance our life so it doesn’t make sense if each device adds an additional mental burden, requiring us to routinely check for firmware updates.
Enabling automatic updates on devices will make sure you’re up to date and not exposed to public vulnerabilities.
While device updates may be infrequent or delayed, it’s still good cyber hygiene. Attackers routinely rely on users running outdated devices to conduct their nefarious activities. It’s the low-hanging fruit, as they say, and threat actors very often will get in through the easiest route.
Think of it as leaving your front door unlocked. It’s just common sense.
Poorly designed IoT devices will ship with a hard-coded administrator password and, even worse, some won’t allow you to change the password.
Always change the default password. If you’ve purchased a device that won’t allow you to change the administrative password, you should exchange the device for one that exhibits a better security posture.
Again, attackers will follow the path of least resistance: they won’t research and develop a fancy zero-day exploit when a simple known password works just as well to get them what they want – your data.