A beginner’s guide to Internet of Things security.
The Internet of Things connects common household items to the Internet — like light bulbs, thermostats, refrigerators and TVs — and it’s revolutionary.
An Internet-connected refrigerator can order milk for you when you’re running low. A smart TV can listen to voice commands and find the latest episode of Game of Thrones for you to watch. Wi-Fi-connected security cameras and thermostats can monitor your house or business to alert you when there’s a problem.
As with any technology connected to the Internet, it’s also given rise to incredibly challenging security concerns, thanks to the fact that many of these devices feature outdated security technology and easy-to-hack default passwords.
A few years ago, a hacked smart refrigerator started sending out spam — an incident hilariously parodied on HBO’s Silicon Valley.
Even more menacingly, last October millions of Digital Video Recorders (DVRs), closed-circuit video cameras and other IoT devices around the world were enlisted in a gigantic botnet, which hijacked open ports on devices with poor security settings in order to launch a massive DDoS attack.
So, short of banning these devices from your home and office (which will soon be impossible, given how common they’ve become), how can you minimize risks and maximize security?
Those infamous DDoS attacks
The first thing is to understand what the most common IoT hacks are, and how they’re being used to cause chaos.
DDoS attacks are at the top of that list. These “Distributed Denial of Service” attacks are used by hackers to overwhelm and disable websites by directing an incredible amount of requests and traffic at them. This type of attack can take your website offline, or offer other opportunities for the hacker to take advantage of the site and exploit its vulnerabilities. In some cases, your Internet-connected devices could be used against others, though you could also be exposed further to risk.
In order to do this, hackers install software on devices without the owners’ knowledge. This allows them to take control of the device, turning it into a ‘zombie’ within a larger ‘botnet’ that they also control.
Desktop and laptop computers were the traditional targets of DDoS hackers, but the lax security — and sheer numbers — of IoT devices have made them a popular option.
To build their ‘botnets,’ hackers use a software tool called Mirai that constantly scans the Internet looking for thermostats, security cameras and other IoT devices that they can access. Then it tries to log on using the device’s default usernames and passwords. Most people don’t think to change the password on an appliance, so it’s easy pickings.
Even a tea kettle can provide a backdoor into your network
DDoS attacks aren’t the only danger, of course. Since Internet-enabled devices are part of your network, they can also be used as a backdoor to gain access to that network.
At BlackBerry’s Security Summit in 2016, a pair of enterprise security specialists called “white hat hackers” demonstrated how to hack an Internet-connected tea kettle in order to compromise a company’s network and gather sensitive data.
“The IoT device we have here is a tea kettle. It could be anything — could be a fridge, blender, juicer, physical access control systems, industrial control systems — those all fall into the IoT category as well,” said Campbell Murray, Technical Director at BlackBerry.
The duo then walked the audience through a live demo of their hack, and how it could impact your business operations. By sitting in a parked car near your home or office, they showed how a hacker could easily create an identical network to yours and trick the tea kettle into logging onto the fake network. Then, the tea kettle gives the hacker your network password, and the hackers can do their dirty work — intercepting unencrypted email packets and sensitive data. And this is all performed completely incognito, without anyone knowing the hackers were ever present.
Going a step further, if the IoT device has a camera or microphone, evildoers could use it to spy on your operations. WikiLeaks reported that the CIA has created software designed to use Samsung Smart TVs to surreptitiously listen in on people’s conversations — a hack that could also be exploited by corporate spies. They even published the manual on how to do it.
You’re also potentially at risk if hackers can harvest the data gathered by these devices in order to use them against you. By looking at when smart light bulbs turn on and off, and when thermostats go into ‘home’ or ‘away’ mode, a hacker could tell if you’re home or not — or learn your usual patterns. Based on that information, they could stage a break-in when you’re not around or when the office is vacant.
How do you protect yourself?
According to a report prepared by the US Department of Homeland Security, there are steps you can take to better protect yourself from cybercrime. However, the report notes there is no “one size fits all” solution, and many of their recommendations fall at the feet of device manufacturers who need to do a better job at building security into their devices.
With that in mind, you can still try to improve the security of your IoT devices at home and in your business:
- Change the default username and password on every device possible. When you create new passwords, make them robust and hard-to-crack by incorporating random numbers, uppercase, lowercase and symbols.
- Search for software and firmware updates for the devices. Last fall’s IoT DDoS attacks highlighted the dangers of these devices, so many manufacturers have been scrambling to make their firmware more secure. Unfortunately, efforts to patch those security holes can sometimes fail, as was the case for a Chinese DVR manufacturer that was majorly impacted by the botnet. No matter how secure you think you are, it’s crucial to double check your updates.
- Make sure you have an active firewall and use port forwarding to protect your IoT devices, rather than just letting them connect directly to the Internet themselves.
- Use a separate network for your IoT devices so that they won’t be connected to your main network. That way, hackers can’t easily access sensitive data through the devices. Most routers allow you to create a ‘guest network,’ which should suffice for small businesses.
- Turn off UPnP (Universal Plug and Play). This protocol is more typical in a residence or smaller office, and is designed to make it easy to set up devices to discover each other’s presence on a network. UPnP allows devices like computers, smartphones, printers and Wi-Fi access points to communicate with your router in order to open up ports as needed to access the Internet. But that can lead to the devices opening up insecure connections you have no control over.
- Don’t allow employees to bring their Internet of Things devices from home into your office. That one little device could ruin all the work you’ve done protecting your network. If you do allow this activity, make sure you have a policy in place that everyone in the company can follow.
And finally, and if you’re worried that your smart TV or appliance is spying on you and sharing your information with a secret agency, just update your privacy settings.
Up Next: Check out some of the coolest IoT devices hitting the market.
Featured image via Your Best Digs (adapted)