I’ve recently had the opportunity to purchase some “smart” devices that everyone seems to be referring to as the Internet of Things (IoT).
If you ignore the cool-sounding name, however, an IoT device is really just another computer, but one where you don’t have much say in what software runs on it, or whether it can be patched properly, or even secured at all.
Intriguingly, we often like to poke fun at these devices – after all, what are you really going to do with an internet-enabled kettle? – and to remind everyone else that we don’t need them, even as we rush out and buy them because we like them.
I know plenty of security people who have smart light bulbs, thermostats, cameras and security systems: we love our gadgets, and we can’t resist playing with new technologies to see how they might be used and abused.
But can you join the IoT craze without having your devices turned against you?
Here are 7 tips to help you stay safe:
- Many smart things support Wi-Fi so that you don’t have to plug them into your smartphone or computer every time you want to use them. If your home Wi-Fi router allows you to create separate guest networks to keep untrusted visitors off your regular network, make a special guest network for your “things” and connect them there.
- Many devices, such as video cameras, try to talk to your router to open up inbound holes so they can accept connections from outside. This makes it easier to access them from the internet, but it also exposes your devices to the rest of the world. Turn off Universal Plug and Play (UPnP) on your router, and on your IoT devices if possible, to prevent this exposure. Don’t assume that “no one will notice” when you hook up your device for the first time. There are specialised search engines that go out of their way to locate and index online devices, whether you wanted them to be found or not.
- Keep the firmware up to date on all of your IoT devices – patching is just as important as it is on your PC. It can be time consuming to figure out whether updates are available, but why not make a habit of checking the manufacturer’s website twice a year? Treat it like changing your smoke detector batteries: a small price to pay for safety and security.
- Choose passwords carefully and write them down if needed. Complexity is important, but so is uniqueness. Many IoT devices have been found to have bugs that let attackers trick them into leaking security information, such as giving away your Wi-Fi password. Remember: one device, one password.
- Favor devices that can work without the cloud. IoT “things” that require a cloud service are often less secure, and potentially give way more information, than those you can control entirely from within your home. Read the packaging carefully to determine whether permanent internet access is needed for the device to function. If it’s “all-or-nothing,” then you can’t try out the device on your own network first.
- Only network devices as much as you need to. If all you want from your TV is to watch broadcast television, you don’t need to connect it to the network at all. If you only want to control it or stream to it from your home network, it doesn’t need access to or from the outside. Eliminate unnecessary internet connections when possible.
- Don’t take your IoT devices to work or connect them to your employer’s network without permission from IT. Insecure devices could be used by attackers as a foothold into the organisation, and used to assist with data stealing and illicit surveillance. You could put your company and your job at risk.
Of course, please don’t forget that lists like this are, of necessity, incomplete – after all, security is a journey, not a destination, so don’t imagine that this is our last word on IoT security.
In fact, we’re hosting a Security SOS week, consisting a series of five daily webinars featuring Sophos security experts, from 14-18 March 2016. (2pm UK time, 10am EDT, 7am PDT.)
The webinars last half an hour each, and we’ll be focusing on the IoT in Friday’s webinar. (18 March 2016.)
We’d love you to join us…it’s free.
Web of icons depicting the IoT courtesy of Shutterstock.
Ummm… We are supposed to change smoke detector batteries???
Tip 8. Don’t use IoT at all. You don’t need it really, it’s just the latest ill-considered fad that has been poor thought through – and they forgot all about security.
Shouldn’t that be Tip Zero 🙂
It would be nice if some respected security organisation could start issuing “security quality marks” for all these “Things” – or better still lobby BSI/ISO to produce a clear standard.
There are some murmurings from UL:
http://www.darkreading.com/endpoint/underwriters-laboratories-to-launch-cyber-security-certification-program/d/d-id/1321202?_mc=sm_dr_editor_kellyjacksonhiggins
From Dark Reading:
I am not sure that I would trust a “government initiative” in this area. I think we need something genuinely independent of government that might then receive international recognition as say an ISO standard.
Underwriter’s Laboratories (UL) is respected, and not governmental. However, I’m not sure of their international reach.
thank you Chet.. with an android tablet with more than one account, poor vision and old age i am still trying. the security is great, but it would be really nice to talk to someone. i still use a land line because i think it is safer, am i wrong about this?
thanks
mm
The question is, safer against what adversary. There is no doubt that unless you have government spies on your case, you can argue that good old fashioned phone service provides an adequite amount of privacy, but it all depends on the attacks. My parents get scam callers every day on their home telephone, but never on their mobile devices. Different scams for different communications technologies.
Don’t forget about the way POTS works. Even if the Cell towers go down and the electricity goes out your standard landline phone will still have power and still function as power for the connected phone comes through the landline. (If FIOS is your land line disregard).
In addition, 911 locations services work best with a landline, if you are concerned about being able to contact EMS in an emergency and have them locate you quickly if you cant talk a landline is still your best option.
Remember Security is about more than privacy. I would never recommend to a senior citizen or someone who may have more of a chance of needed EMS that they ditch their landline.
This used to be true, but it is less and less true everyday. So much of our “POTS” service is dependent on digital technologies that don’t always have redundant power that it isn’t holding up well with age. Even worse most phone companies are price gouging the elderly for this essential service. In my locality it is $60 just for a dial tone. Sad.