By Peter French, Synapsys Managing Director
The Internet of things (IoT) mega-trend can seem very space age and futuristic, a bit like hoverboards or Jetsons-style robo-butlers. It’s often mentioned in the context of brain-befuddling trends such as cloud computing, big data and analytics, and artificial intelligence. And when you dig into what it is – machines talking to other machines via the Internet – it seems quite distant to our daily lives.
But the reality is that most of us have some form of IoT device in our homes today, from smart TVs and speakers, security cameras and home automation devices to gaming consoles. Almost by stealth, something that seems very out there and a long way away is actually right next to us, right now. And along with the incredible usefulness and entertainment value of these devices comes a range of security concerns that you should know about, and protect yourself from if necessary.
There have already been a number of security incidents involving smart devices, from hackers accessing security cameras and harassing people, to kids’ smart watches that allow anyone to see the child’s location and personal information, to the CallStranger vulnerability that allows hackers to steal data, scan networks and launch distributed denial of service (DDOS) attacks via popular home and corporate IoT devices.
What you can do to protect yourself
1. Do your research
Before bringing any device into your home, do your research using independent third-party resources such as IT security organisation, AVTest’s dedicated IoT site. This means that at the very least you will be aware of the threats that exist, and at worst, you may decide to avoid that device. But, more than likely, you’ll land somewhere in between: doing what you can to manage the threat according to your specific situation.
2. Be wary of zero security incidents
Any legitimate IT company is transparent about its security incidents and rapidly tells users what it has done to repair any damage and stop the threat. Security vulnerabilities are inevitable, so it is reassuring to see that a company is serious about patching them quickly. Take a look at Cisco or Microsoft’s security advisory pages for good examples. A company that doesn’t do this either doesn’t know about its security issues and attacks, or is not being transparent about them, neither of which bode well for the safety of the IoT device you are bringing into your home.
3. Ensure the device’s firmware is up to date
Not all IoT devices allow you to update their firmware, which would allow you to patch any known vulnerabilities as they are discovered. If the device does not allow updates, you should consider whether you want it in your home and connected to your network. And if the firmware does update, you should, just as with any other IT service, keep it up to date. Advanced users might want to replace the factory-installed firmware in devices like Sonoff smart switches due to concerns about these home automation devices transferring unencrypted data back to servers in China.
4. Disable universal plug and play (UPnP)
As I mentioned in my guide to boosting your home WiFi performance, UPnP is incredibly useful, but it’s often just not viable in the real world, where you can’t be sure all the devices connecting to your network are secure and safe. For instance, the CallStranger vulnerability mentioned above operates via a UPnP callback. To add insult to injury, depending on your router, UPnP might take a while to patch, or it might even not be possible to patch. The best option is to disable UPnP on your WiFi router. This doesn’t mean you won’t be able to use these smart IoT devices, but you might have to spend a bit of time setting up manual exceptions, port forwards or NAT (network address translation) rules. You can Google how to do this, for instance, here and here are instructions on how to set up a static IP address for your Xbox One, and so avoid activating UPnP.
5. Strong passwords and multi-factor authentication
As ever, updated, strong passwords are your first line of defence, with multi-factor authentication adding a double-lock to your security. Also, with shared IoT devices, it’s better to set up unique profiles for every user, rather than sharing a common set of usernames and passwords.
It is not the tech itself that is scary, it’s our lack of understanding of the new that can make it dangerous. And we each need to establish our own threat tolerance based on our individual circumstances and requirements. A very practical example of this is that we might be comfortable adding more devices to our network in the shape of IP-enabled security cameras in order to boost our physical safety. But, at the same time, we should install and set up the Internet-connected cameras in a way that ensures cyber safety.
And you don’t need to become a systems administrator to do this: basic knowledge and some research can help you make an informed choice, and basic security measures can keep you safe.
Finally, these security vulnerabilities seldom start out with malicious intent by the manufacturers. Very often, it is down to something that is overlooked in the race to get a new and exciting product to market, and then criminals take advantage of that vulnerability. Of course manufacturers have an obligation to ship products that are as safe as possible, but for those of us who are early adopters of new technology, this is always something we need to consider, especially as the pace of innovation increases.
This article was first published on ITWeb on 17 July 2020