TRUTH: IoT devices are cool!
TRUTH: IoT devices are becoming more mainstream!
TRUTH: IoT devices can be security nightmares!
What is an IoT device? IoT or "Internet of Things" devices are all of the neat devices that connect to the internet, normally through your home network. Internet connected thermostats, light bulbs, light switches, Amazon Echo, etc. They're really useful and can be really fun but also can be REALLY unsecure.
The beauty of IoT devices is their simplicity. Plug them in, turn them on, download an app and off you go. That's also what makes them so dangerous. Manufacturers are concerned with speed to market and don't necessarily have security as a top concern. This was evidenced by an October 2016 attack where 100,000 virus-infected IoT devices took down a major internet provider and and disrupted internet access for a large part of the country be flooding the network with traffic.
So should we give up using these devices? Of course not. Security is (almost always) the key! Here are a few recommendations to help keep them secure. WARNING: These are a bit technical in nature.
- Keep them off of your network: If your home router supports a "guest network", connect your IoT devices to that network. This will segregate them to a different network than your home devices. This won't secure the IoT device from attacks as mentioned but it will at least help protect your home network from hackers should the device be compromised.
- Disable Universal Plug & Play: Disable the Universal Plug & Play feature of your home router. This is used by most IoT devices if available but generally unnecessary. Universal Plug & Play opens up holes in your firewall that could increase the attack surface of the device.
- Change the default user name and password: If the device allows, change the default credentials. This was one of the major flaws that allowed the October attack.
- Update the devices: If your device has an "update" function, be sure to set it to auto or manually check for updates on a monthly basis. As vulnerabilities are found, device manufacturers generally fix them through online updates.
If you're not familiar with your router settings this may require a call to your internet provider or pulling the manual for your device from the internet. But these things should help keep your devices from becoming a problem.
At this point I would not recommend having any of these cool devices in a business. Last year a couple of researchers showed that it was possible to infect an internet-connected thermostat with Ransomware. They could lock the device, turn the heat up to 99 degrees and demand a ransom before releasing control the device! It only took two evenings from start to finish to develop the hack! There's no telling what type of control and internal hacks are possible at this point on any of these devices. If you MUST have one in a business there is NO question that it needs to be placed on a completely separate network from your production network.
If you have any questions or comments, please leave them in the comments below.
Until next time!