Smart devices are becoming more common and more affordable… but do they have the security we need them to have? They’re convenient, they often provide significant savings – but they can also present some very significant risks.
Why IoT Security is a Major Issue
People are fascinated by gizmos and gadgets and technophiles take that fascination to a new level. The ever-increasing ability to integrate and automate our homes and businesses presents some new risks, however: since IoT security arose as an afterthought, a Pandora’s Box of dangers has been opened, all of which should be considered before connecting a smart thermostat or baby-cam.
Many people start out with just a single device, connected to their smartphone via an app. Maybe they’re looking for ways to make their home more secure with a motion-activated outdoor camera or hoping to trim their utility bill with a smart thermostat. No danger there, right?
Don’t bet on it. As is the case with many things these days, “it depends”.
The First Chink in the Armor
Suppose you decide to install a wireless camera on your front porch, so you can see who’s outside before opening your door. It’s activated by both motion-detection and the doorbell and it comes with a handy app that allows you to view from your phone. It will even notify you when you’re at work, and it includes 2-way voice communication! Handy, and at a surprisingly low cost – you decide to take the plunge.
Installation is a breeze, and pairing the device to your phone is automatic. You feel as though you’ve taken an important step in keeping your family safe.
What you don’t realize, though, is that there’s no authentication protocol between the camera and your router. That means that anyone with the necessary know-how and equipment (a disappointingly low bar) to link to that camera can now also connect to your entire network. And so it begins…
Once they’ve gained access to your network, that’s just the first ripple, because when you’re at home, your phone is connected to your WiFi network (as would be your child’s laptop, your wife’s tablet and phone and possibly your security alarm system). And your desktop, even if connected by cable, rather than wireless, may now be more vulnerable, as well. That alone could be catastrophic, particularly if you have any sensitive financial credentials saved.
So aside from the potential of having your bank account cleaned out, all your family’s contacts jeopardized and your family members’ personalities subject to theft, they might even be able to disable your alarm system.
And that’s just from the addition of one “handy” wireless camera. Imagine what could happen with the addition of other devices, like “smart” locks.
A Flooded Market
A great many innovative devices have been introduced, allowing us to control lighting, temperature, entertainment systems and more. Some of those devices have the ability to listen to or view what’s going on inside our homes or offices. Even for non-technophiles, they can offer a great deal of convenience and advantages, so the market for those products is booming.
And whenever a market is in a boom, new suppliers surface quickly, offering something just a little shinier or a little cheaper… usually at a lower production cost. They may have shaved cost on materials, of course. But they quite likely also spent a lot less on development. First, because they often reverse-engineer an earlier product; second, because they cut corners on programming. They’re selling function, not security. So they invest in what they’re selling. Many of these late-comers will come from off-shore. And by “late-comer”, we’re talking days later, not weeks or months.
How Much Security Should your Smart Network Have?
First, to be clear… very few smart devices incorporate any security. Most, if not all, can be hacked relatively easily. So the real goal is to secure your network. With any system of connected devices, in order to determine the sort of security we should build in, we have to consider the following:
- Does the data need to be kept private?
- Is the safe arrival of the data important?
- Does access to the device need to be restricted?
- Will the device’s software/firmware need to be updated?
- Must the ownership of the device be transferred or managed securely?
- Will auditing of the data be necessary?
- Does the data need to be seen as trusted?
Answering those questions will tell us what sort of security needs to be implemented. And for many devices, the implementation of those measures is neither easy nor inexpensive. That means when purchasing smart devices to connect in your home or business – any smart device – it’s imperative to ensure they either include adequate protections or you add protection. Because any single device on your system could be a point of entry to your entire network and everything on it.
Many smart devices have no protection whatsoever integrated. Your smart refrigerator probably doesn’t seem like a very likely target for an intrusion, and I’m aware of no AV system specifically designed to protect refrigerators. As we said, it’s virtually impossible to find effective protection for many smart devices. But what you can do is isolate your system so that, at least, an intruder can’t penetrate any deeper than your vegetable drawer.
Securing your Network
There are a number of things you can do to make your network secure. Many of them are advisable even if you’re not using any smart devices.
1. Use a strong security protocol
WEP (Wired Equivalent Privacy) is still widely used, but it’s easily hacked. You’re much better off using WPA2 (WiFi Protected Access II) with a very strong password.
2. Use a vague, unique SSID (Service Set Identifier)
Don’t call your network “Smith Home Network” or anything which might be easily identified with your social information. “NSA Surveillance Unit 449B” is unlikely to be tied to you… unless you happen to work for the NSA.
3. Don’t allow guest access
Disable guest network access and don’t “lend” access to others.
4. Use two networks
If your router can handle multiple SSIDs (many can), set up two separate networks: one for desktops, tablets or phones for all web activity and another for just the smart devices.
5. Use sound password management practices
Never use the factory set password on routers, switches or smart TVs and the like – change the default password to a complex, strong password. Change the passwords regularly and while you’re at it, change your usernames, too, if possible.
6. Use a firewall
Every Internet connection should be protected by a firewall. All computers and most IoT devices will provide information on the ports, IP addresses and protocols used – set up your firewall to allow access to those only. If a device requires unhindered access to the Internet, it’s not a device you want to install on your network.
7. Consider a UTM
If you have several smart devices installed, you may want to take the extra precaution of installing a UTM (Unified Threat Management) appliance to detect and block intrusions. A UTM will also manage the Internet gateway and provide antivirus protection for your network.
8. Use security software when available
Where possible, use security software on any mobiles used to control or monitor any IoT devices. Hackers often try to access smart home devices via malicious Android apps.
9. Keep firmware up to date
IoT companies aren’t always conscientious about patching vulnerabilities and pushing out updates, so you should check periodically for available updates on all your system devices. This is especially critical for hubs, routers, UTMs and firewalls.
If you’re thinking of converting your home or business to “smart” status, you need to start by being smart. Research every device and get as much protection as is available at that level, then insulate your devices from your network so that even if a device is breached, the intrusion stops there. If in doubt, consult a professional.