Protecting Your Electronic “Toys”
Author: Aaron West
Did you get a new Internet connected / Internet of Things (IoT) gadget recently? Maybe more than one? It could be these IoT devices now outnumber the laptops and smart phones in your home network. Indeed, you probably saw the news recently that attackers took control of a baby camera and spoke directly to the child. Perhaps the only thing more concerning about this massive invasion of privacy is that it was only caught because the hackers chose to announce themselves to the victim. One of the biggest misconceptions of “getting hacked” is that you’ll know it when see it. Not necessarily. The reality is that if your new IoT gadget is compromised it likely won’t be obvious to you.
When attackers successfully compromise a device, such as a camera attached to your home network, their first objective is usually reconnaissance (e.g. snooping, spying and planning). What else is connected to the network of the device they just compromised? Can they access your home router from the compromised device and then access valuable data from your connected hard drives? Unfortunately, a concealed attacker can just sit and watch for a very long period of time and never alert you to their presence. Our best defense is prevention or to minimize their impact. What are the vulnerabilities of IoT gadgets and how can you protect yourself and your family?
California’s so-called “IoT Security” law (CA Senate Bill No. 327 and its cohort, Assembly Bill No. 1906) effective January 1st, recognizes that IoT devices frequently are boxed with the same default password for its entire model line. The California IoT Security law therefore requires manufacturers create unique passwords for each device and a user prompt to change the default password upon first use. So, if you didn’t change the password or if your device didn’t prompt you to change the default when you bought it, do so as soon as possible.
Creating layers of defense against the vulnerabilities that likely reside within your IoT devices is the best defense. For your home network, IoT devices should be on the guest network or guest channel. By doing this you create a barrier between your main network where your home computers reside and likely other devices containing valuable data.
Another risk could be an IoT device connected to your home network that you don’t know about (which limits your ability to add extra protection). An information security leader reported that a drink machine vendor arrived at his business to switch the old appliance with a new internet-connected drink machine. A well-meaning employee attempted to help the vendor connect the machine to the corporate network; the security leader only learned of this event because the employee came to the help desk to obtain the network credentials. The password was not given, but what if it had been? More relevant to the personal theme of this article, has a family member connected an IoT device to your network of which you are unaware? If you don’t know about it then you can’t take the steps to prevent compromise. Some home network routers provide mobile apps that alert you when a new device joins your network. Use it if available. In fact, compatible routers can limit connection privileges for specific devices such as with Apple’s HomeKit. This can help limit an attacker’s ability to exploit a take-over in a single IoT device to the rest of your network.
The number and diversity of IoT devices being added to the internet is growing daily. Gartner predicts the number of IoT devices to be over 20 billion by the end of this year and close to 50 billion by the end of 2022. As a result, the number of potential vulnerabilities also increases. Unfortunately, we can’t just press a“automatically secure my IoT devices” button and forget about it.
So, here’s your home IoT device security to do list:
- Change your default passwords.
- Separate your IoT devices from your critical assets on the network (easy solution: if your network supports it, set up a guest network).
- Check for new Smart devices in your home that might be connected to your network – ask family members or roommates if they’ve added a device to which you are not aware.
- Be smart when shopping for new technology and make sure to look for security features such as the ability to update firmware. Use a known vendor with a track record of making security updates.
About the Author
Aaron West is an information security professional with over 25 years of combined military service and business experience, leading in various roles. Aaron holds master’s degrees in Cybersecurity and Risk Management, Information Technology Management, Security Studies, and Military Strategic Operations. He also earned a Graduate Certificate from the Kelley School of Business and a Green Belt in Lean Six Sigma from the U.S. Army.