The Internet of Things (IoT), as a term, has been bandied around a lot over the last few years.
Many people – even those that work in the technology sector – are still unclear on what IoT really means.
In this blog series, we will define IoT, talk about why infosecurity experts are concerned, and delve into some of the issues facing both providers and consumers.
We’ll also provide some practical recommendations for both parties:
- Consumers of IoT devices: Tips for choosing the right IoT devices and advice on how to setup the network and implement security features to better protect you from cyber ne’er-do-wells.
- Producers of IoT devices. Considerations for improving security in your IoT devices.
The point? Most IoT devices are not nearly as secure as they should be… Producers are racing to get them on the market first, and many a consumer is racing to install them in their homes.
But let’s back-step a little….
What does IoT really mean?
So here is an easy explanation of what falls under the IoT umbrella. IoT refers to any device that connects to the internet. These devices might also be referred to as Smart Devices.
Now, in order to connect to the internet, the device – be it a phone, computer, fridge, thermostat, toy or security camera – must have its own Internet Protocol (IP) address.
So, if a device connects to the internet, and has its own IP address, it is known as a Smart Device, and is part of the IoT family.
Why are IT security experts so worried about IoT?
There are a number of reasons why the information security community – me included – are seriously concerned about how IoT devices are currently being developed and produced.
One, IoT technology is still in its infancy. Many firms creating these devices are indeed intelligent, conscientious and ambitious. Unfortunately, too few have real cybersecurity and privacy expertise on hand.
Two, (and this is related to the point above) there is massive competition in the IoT world. Today’s innovators and producers of these devices are racing against each other to secure market share.
What can I do to help protect my IoT devices?
Early adopters of IoT devices would be wise to look into adding additional layers of security and privacy when they connect these devices to their personal or business Wi-Fi networks, if only to help compensate for any shortcomings on the part of the provider.
7 handy tips BEFORE you buy/install an IoT device…
Here is a handy list of recommendations to help you better protect you from insecure IoT devices messing up your home network environment.
- Ensure the IoT device can be updated. Before you purchase an IoT device, ensure that it can receive software and firmware updates from the provider. If there is no way for the device to accept updates, consider looking at the competition.
- Change the default password of the IoT device. Make sure the device lets you change the default password upon installation. And then be sure to make this password unique. Write it down on a physical piece of paper if you need to, and keep it safe, or use a reputable online password manager like LastPass, OnePass or KeyPass to manage your passwords.
- Put IoT devices on a separate network. If possible, set up a secondary Wi-Fi network, (or a guest network) for all your IoT devices, such as televisions, fridges, thermostats, smoke detectors, baby monitors, etc. This is a separate network, effectively walled off from the one used for computers, tablets and devices by trusted individuals. If someone does get access to this guest network, they will not be able to snoop on your more sensitive or confidential communications and researches.
- Use a unique email address for IoT device updates and communications. Set up an email account for your IoT devices and ensure you are signed up to receive security email or mobile updates. This is where you will learn if a firmware or software update is required.
- Install updates ASAP. Make sure to update the IoT device as soon as possible. Do not delay in these updates. In some instances, it can be a race against the would-be infiltrator.
- Universal Plug and Play (UPnP) is a set of network protocols that permit networked devices to discover each other’s presence seamlessly. Turn off uPNP on the router so that IoT devices cannot find and connect to each other.
- Don’t use Wi-Fi unless you need to. Consider hard wiring the device rather than connecting to your Wi-Fi. Relying on a physical connection means that would-be Wi-Fi sniffers won’t be able to find the device.
If you are developer or provider of an IoT device, check out IoT Developers: checklist for building more secure Smart Devices.
How TBG Security can help
TBG Security provides quality penetration tests and risk assessments tailored to your specific needs. Whether you are a governing body, a financial institution, an insurer, a legal or accountancy firm, or a online provider, we can help.
Get in touch. We can chat about your needs and help you figure out the best approach for you.