#NCSAM: How Can Consumers Boost the Security of IoT Devices?

The global surge in home-based Internet of Things (IoT) devices seen in recent years should be a cause for celebration. Essentially electronic devices that connect wirelessly to a network, they have undoubtedly enriched the lives of many people; common examples include smart watches to monitor heart rates and breathing, smart refrigerators and TVs and virtual assistants. For many, this offers convenience in their everyday lives, but for others, such as those living with disabilities, they can be life-changing.

It is currently estimated that the average US household has more than 10 devices connected to the same Wi-Fi network, while the total number of IoT connections is predicted to reach 83 billion by 2024, up from 35 billion in 2020

Keeping these technologies safe from cyber-criminals is a major issue, both due to their burgeoning popularity and their known security weaknesses. Ken Munro, partner, Pen Test Partners commented: “IoT was the wild west of security five years or so ago. Products were rushed to market with little thought for security; rushing to get ‘first mover’ advantage in the market. Product development was stuck in the ‘mobile app’ mindset – fix issues in the field later, which doesn’t really work for hardware.”

Attacks have manifested in a number of ways, ranging from data theft to more dystopian scenarios such as spying or listening in on people in their homes through devices like smart cameras. “Voice assistants, home monitoring cameras and digital controls for heating move the risk beyond the loss of personal or financial data, to infiltration of your most intimate conversations or impacting your physical safety in the home,” noted Phil Packman, CISO, commercial contracts for BT Security.

Mike Nelson, VP of IoT security at DigiCert, added: “The first and most common threat is hackers trying to gain access and control of a device. Intent in these scenarios isn’t always the same – some may be doing it just to prove they can, while others may have more malicious intent. The second common threat is hackers capturing sensitive data being generated by IoT devices, and using that data in nefarious ways. Finally, we commonly see hackers trying to get malware or ransomware onto a device to cause havoc by disrupting the device’s performance.”

This year’s National Cybersecurity Awareness Month is focused on enhancing the security of IoT devices, and in particular, emphasizing the role individual users can play in this regard, with a theme of “Do Your Part. #BeCyberSmart.” It is also worth noting that IoT device security has taken on even greater relevance during the COVID-19 global pandemic, a time when people have become increasingly reliant on such technologies at home both for work and entertainment. This is therefore making IoT security more important in the protection of organizations as well as individuals.

Gorav Arora, data protection technology director at Thales, commented: “Over recent years, the explosive growth of IoT devices in homes, in addition to the billions of devices playing essential roles in enterprise, has meant that the threat surface area for hackers to exploit has increased. The COVID-19 pandemic has also accelerated the rise of remote working, forcing the mix of business, school and home networks. In many instances, organizations pivoted to wholly virtual workforces without notice, leaving IT departments with little oversight as to the security practices and configurations being used by workers, who may now be accessing enterprise networks via personal devices.”

“Most attacks against IoT devices take advantage of basic security issues such as default passwords and device software which hasn’t been updated recently”

Encouragingly, governments and other authorities around the world are increasingly taking strides to introduce guidance and legislation that set out minimum security standards for IoT device manufacturers. Nevertheless, there are a number of simple actions that individual users, even those with minimal cybersecurity knowledge, can take to drastically reduce the risk of being attacked through their IoT devices.

Jamie Randall, chief technical officer of IASME, said: “Most attacks against IoT devices take advantage of basic security issues, such as default passwords and device software which hasn’t been recently updated. In particular, there has been a rise in malware focussed on IoT devices such as the Mirai and Mozi botnets which initially targeted routers but expanded to other devices such as internet-connected cameras.”

Taking the following actions will go a long way in reducing the risk of IoT cyber-attacks occurring.

Undertake Product Research

Conducting due diligence when purchasing an IoT device is the first, and arguably most important, step and selecting companies with a proven track record in this area is advisable. “By and large, smart devices from reputable brands tend to be more secure," said Munro. “lThey certainly had their fair share of security issues in the past, but also had the resources to acknowledge and fix the problems. Smaller one-product startups tend to have more problems, as they don’t have the scale and resources to draw on to resolve security flaws.”

Daniel Norman, senior solutions analyst at the Information Security Forum, suggested that consumers should also ensure their products come from manufacturers which automatically update or patch devices, and “if this is impossible then individuals should proactively try and seek out vulnerability forums online and regularly assess whether exploits and vulnerabilities have been exposed in the media.”

Paul Ducklin, principal research scientist at Sophos, added: “If the vendor cannot reassure you about security updates, consider switching products to a vendor that does.”

A further step consumers can undertake at the pre-purchase stage is to discover whether the manufacturer in question is adhering to certain security standards. Norman added that many IoT manufacturers are now making this kind of information available on their product’s packaging.

Changing and Updating Passwords

Once an IoT product has been purchased, the first action should be to change its default password, a measure that is often neglected. Packman noted: “Ensure that you change the default password and any other insecure settings when you buy a new device, as some default log-in credentials can be easily guessable by attackers (i.e. ‘admin1’/’password’).”

To maintain high password security, consumers should get into a habit of repeating this action regularly. Heather Paunet, senior vice-president of product management at Untangle, explained: “Changing your password every 15 to 30 days may seem like a chore, but keeping your network security fresh will also keep those devices connected to this network safe as well. Changing your password to a complex arrangement of numbers, letters and symbols will ensure that criminals trying to hack into your network cannot easily guess the combination and gain access to the data from your IoT devices.”

Where available, it is also highly recommended that consumers enable two-factor authentication (2FA), ensuring an extra security code has to be provided to gain access to the device, often via mobile phones. This adds an additional layer of security should a password be breached.

Divide Your Home Network

Another option available to users is to separate the network which IoT devices are connected to. “Some home routers let you split your Wi-Fi into two networks that can be managed separately. This will allow you to put your home IoT devices on a ‘guest’ network and keep your home or work computers on another,” noted Ducklin.

This essentially adds a protective layer around devices such as work laptops and mobile phones. Pautnet explained: “If any of the IoT devices were to get compromised, then all the other devices on the network would not be affected and remain safe.”

Implementing such a divide and conquer strategy is especially important given the increasing overlap between work and leisure arising from the shift to remote working in many organizations. “Placing the devices on a separate network will prevent your device from becoming a backdoor to your business, school or personal network, and ensure a greater degree of security,” said Arora.

Removing Network Connections

Keeping the attack surface area as small as possible is another good rule of thumb. Firstly, users should continuously be asking themselves which of their home IoT devices are needed at any one time, according to Ducklin. He said that if a device is not required “consider removing it from your network. Or if you do not need it listening in or activated all the time, consider powering it down when you are not using it. (Simply unplugging it from the wall socket is often all you need to do).”

“The thing most home users probably don’t realize is that their Wi-Fi network can be used to control their devices and interact with them”

Additionally, not all home smart devices have to be connected to home networks, a fact that many consumers will be unaware of. Brandon Hoffman, chief information security officer at Netenrich, said: “The thing most home users probably don’t realize is that their Wi-Fi network can be used to control their devices and interact with them, without having to let them access the internet. That device the internet service provider gave you, it creates a network in your house and also simultaneously provides internet access.”

He added: “You can decide which of the devices on Wi-Fi can get out to the internet. Want to control your lights, monitor your stove, turn on your coffee maker? None of those tasks need the internet but those devices can stay on your home network and still perform those tasks.”

Keep Tabs on External Devices

When friends and family come to visit, they will often connect personal devices to that new home network, which can potentially compromise it if their device has already been hacked. Pautnet therefore recommended: “As you are making password changes, also audit the devices that are connected to your network. ‘Forget’ any device that will not be regularly connecting to your network to ensure that your device list is clean.”

Another simple action consumers can take is setting up device notifications to alert them when a new device is attempting to connect. Pautnet added: “These notifications should be activated at all times so you can see who is attempting to connect to your network. Only approved devices should be allowed to connect. If you do not know the owner, or if the device is not familiar, then you are able to stop any unauthorized access before it can begin.”

“Do Your Part. #BeCyberSmart"

Consumers should take comfort from the fact that IoT devices are becoming more secure, with manufacturers getting better at removing security flaws in addition to growing regulatory oversight on the development of these products. However, as with many aspects of cybersecurity, the failure of individuals to take basic security steps, such as updating passwords, provide unnecessary opportunities for cyber-criminals.

Although regularly undertaking such actions may appear to be a source of frustration and inconvenience, they can easily be formed into everyday habits. When considering that these measures could be the difference between the success and failure of a cyber-attack, they are very much worthwhile endeavors.

What’s Hot on Infosecurity Magazine?