I’ve recently had the opportunity to purchase some “smart” devices that everyone seems to be referring to as the Internet of Things (IoT).
If you ignore the cool-sounding name, however, an IoT device is really just another computer, but one where you don’t have much say in what software runs on it, or whether it can be patched properly, or even secured at all.
Intriguingly, we often like to poke fun at these devices – after all, what are you really going to do with an internet-enabled kettle? – and to remind everyone else that we don’t need them, even as we rush out and buy them because we like them.
I know plenty of security people who have smart light bulbs, thermostats, cameras and security systems: we love our gadgets, and we can’t resist playing with new technologies to see how they might be used and abused.
But can you join the IoT craze without having your devices turned against you?
Here are 7 tips to help you stay safe:
- Many smart things support Wi-Fi so that you don’t have to plug them into your smartphone or computer every time you want to use them. If your home Wi-Fi router allows you to create separate guest networks to keep untrusted visitors off your regular network, make a special guest network for your “things” and connect them there.
- Many devices, such as video cameras, try to talk to your router to open up inbound holes so they can accept connections from outside. This makes it easier to access them from the internet, but it also exposes your devices to the rest of the world. Turn off Universal Plug and Play (UPnP) on your router, and on your IoT devices if possible, to prevent this exposure. Don’t assume that “no one will notice” when you hook up your device for the first time. There are specialised search engines that go out of their way to locate and index online devices, whether you wanted them to be found or not.
- Keep the firmware up to date on all of your IoT devices – patching is just as important as it is on your PC. It can be time consuming to figure out whether updates are available, but why not make a habit of checking the manufacturer’s website twice a year? Treat it like changing your smoke detector batteries: a small price to pay for safety and security.
- Choose passwords carefully and write them down if needed. Complexity is important, but so is uniqueness. Many IoT devices have been found to have bugs that let attackers trick them into leaking security information, such as giving away your Wi-Fi password. Remember: one device, one password.
- Favor devices that can work without the cloud. IoT “things” that require a cloud service are often less secure, and potentially give way more information, than those you can control entirely from within your home. Read the packaging carefully to determine whether permanent internet access is needed for the device to function. If it’s “all-or-nothing,” then you can’t try out the device on your own network first.
- Only network devices as much as you need to. If all you want from your TV is to watch broadcast television, you don’t need to connect it to the network at all. If you only want to control it or stream to it from your home network, it doesn’t need access to or from the outside. Eliminate unnecessary internet connections when possible.
- Don’t take your IoT devices to work or connect them to your employer’s network without permission from IT. Insecure devices could be used by attackers as a foothold into the organisation, and used to assist with data stealing and illicit surveillance. You could put your company and your job at risk.
Of course, please don’t forget that lists like this are, of necessity, incomplete – after all, security is a journey, not a destination, so don’t imagine that this is our last word on IoT security.
In fact, we’re hosting a Security SOS week, consisting a series of five daily webinars featuring Sophos security experts, from 14-18 March 2016. (2pm UK time, 10am EDT, 7am PDT.)
The webinars last half an hour each, and we’ll be focusing on the IoT in Friday’s webinar. (18 March 2016.)
We’d love you to join us…it’s free.