IoT Devices and Security
Let’s start with a funny story. A few years ago, I was shopping at my local big box hardware store for a new whole-house hot water heater. The sales associate tried to convince me to upgrade to an internet-connected hot water heater for an extra $50.
I asked why I would want it connected to the internet. Would it send an alert if it started to leak? No. The answer? So, I could adjust the temperature of the hot water heater on my phone.
As a homeowner, I laughed and said thank you, but no thank you. Have you ever changed the temperature of your home’s hot water heater after it was installed? I know I never have, and I certainly don’t need a dedicated smartphone app to allow me to do so. To be fair, if I owned a rental property that was inconvenient to visit regularly, I could see an argument for this remote temperature control.
As a security practitioner, I shuddered at how few people weigh the convenience versus the risk of connecting a device to the internet. Consider the message of a recent presentation at the 2018 Usenix Security conference in Baltimore by Princeton University’s Saleh Soltan, Prateek Mittal, and H. Vincent Poor. The researchers showed how an “Internet of Things” botnet attack on only a small percentage of high-wattage devices (such as 5,000-watt electric hot water heaters) can cause major disruptions to the power grid—the power grid so much of our modern-day lives depend on.
What is an “Internet of Things” (IoT) device? Also known as “smart” devices, IoT devices are anything that communicates over the internet to send or receive data. IoT devices include wearables such as the Fitbit and Apple Watch; smart home electronics such as internet-connected thermostats and door locks; smart appliances such as clothes dryers, refrigerators, robotic vacuums, and even internet-connected coffee makers.
When you buy a car, you consider factors such as reliability and safety. As the owner, you’re responsible for the general maintenance of the vehicle—either through scheduled maintenance with a dealer or local mechanic, or by doing the maintenance yourself.
When you buy a new computer for your house, you are responsible for installing the typical antivirus programs, practicing safe web-browsing habits, and maintaining software and firmware patches.
The same types of factors and maintenance apply when you buy an IoT device. As an end consumer, you are responsible for doing your research, ensuring that you’re buying a safe and reputable brand, and maintaining the device through software and firmware updates.
The problem is twofold. First, IoT device manufacturers are incentivized to get to market. They are not incentivized to ensure that their device is secure. Second, most consumers do not understand or have the skill to research and maintain their IoT devices.
Evaluate convenience versus risk.
Do you need the device to be connected to the internet? What is the risk if it gets compromised? Can you use the device without connecting it to the internet? For example, does a hot water heater really need to be connected to the internet?
Assess your home network.
Understand what devices are on your network and ensure that they are legitimate. If your router supports it, set up different networks for different types of devices. Set up a guest network so guests cannot access your personal computers. Set up a network for only IoT devices so they can access the internet, but not talk directly to your local computers, etc.
Use encrypted communications.
Validate that a company’s product uses a modern, industry-accepted encryption standard for all internet communications.
Change default usernames and passwords.
Start with your router, your Wi-Fi printer, your thermostat, etc.
Use a password manager.
These tools will help you create unique, complex, and (ideally) randomized passwords to secure your devices.
Add a layer of protection.
Turn on multi-factor authentication or two-factor authentication everywhere it’s offered—devices and controllers, banks, 401(k) sites, and shopping websites.
Set up scheduled reminders (boots versus sandals season) to check whether device manufacturers have released updates to software, drivers, or firmware—and apply any available security updates.
Use a virtual private network.
Use a VPN when you’re away from the house, especially if you’re communicating back to an IoT device at home. A VPN will reduce the risk of someone stealing your credentials while you’re using public Wi-Fi. VPN software is available for all computers and smartphones. Do your research
to ensure that you’re using a trusted VPN solution.
Don’t get phished!
Learn how to spot phishing emails. This is the No. 1 way bad actors gain access to your network and devices.
I know someone who spent a month on the phone with Google trying to get details on the encryption used for his new Nest thermostat before he was willing to allow it access to the internet. While that may be a bit extreme for most people, I strongly urge you to do your research and not be swayed by marketing when it comes to security.
Unsecured devices are very easy to compromise. Free websites such as Shodan.io provide a familiar search engine interface that will allow you to find unsecured devices—everything from IP-enabled baby cameras, game servers, thermostats, and robotic vacuums to home assistants like Alexa and Google Home. It will even identify critical computer-controlled utility infrastructure devices for electrical, gas, or water supplies.
The majority of these exposed IoT devices can be hacked. Sure, hackers could use these devices to spy on you. But hackers are more interested in using the devices to conduct denial-of-service attacks against major corporations. They use IoT devices to gain access to other devices (e.g., your laptop or tablet) in your home, or at your office, to steal credit card information, send forged money wiring instructions, etc.
The typical consumer considers IoT devices to be innocent and does not recognize the potential threats and vulnerabilities. While the common individual is not a typical target, hackers choose targets for both ease of attack and to gain access to specific individuals and corporations.
For example, the CEO of a small widget supplier may not seem like a large target. However, a hacker may choose to target the CEO in order to infiltrate a large, multinational corporation or political organization that they supply.
Security is a complex and multifaceted concept that most people do not understand or want to deal with. As a consumer, or in your business role, you must figure out what you are willing and able to do given your interests and risk tolerance.
Consider the major inconveniences that can occur when something bad happens. Security is big business these days. There are lots of tools and credible organizations that can help you manage your risk and exposure.
The list above is not intended to be fully comprehensive or prescriptive, but it’s a great place to start researching and implementing best practices for you, as a consumer, to protect yourself and your IoT devices. A quick internet search on any of these items will unearth a trove of educational and instructive materials.