The Internet of Things is slowly revolutionizing household convenience, but it brings with it numerous security risks. Today, we’ll show you how to lock down your IoT network with powerful VPN encryption. You’ll learn how the tech works, plus gain insight into the best VPN for your needs with our in-depth provider reviews.
Want the short answer? Boost the security of your IoT network with these VPNs:
- NordVPN – Best for Home Networks – NordVPN is the most secure provider in the world, with state-of-the-art NordLynx encryption, myriad specialty servers, and the most robust network on the market. Available on routers and any device you could hope for.
- Surfshark – Unlimited simultaneous connections make router installation unnecessary. Strong tunneling, plus auto-obfuscation for greater anonymity.
- IPVanish – A well-rounded VPN popularly used for torrenting, gaming, and streaming.
Understanding how to secure your IoT devices might be more important than you think. Smart TVs, intelligent bathroom fixtures, connected fridges–it seems like today, everything and anything can be connected. So much so that a new term had to be invented: the Internet of Things. A 2019 study from Avast shows that a whopping two-thirds of American homes contain at least one IoT device, with the trend very much on the rise throughout the world.
What makes a device smart? It has nothing to do with intelligence, real or artificial. What we refer to as smart devices are all these things that connect to your local network, whether through WiFi or sometimes Bluetooth, which can be controlled remotely (often through some sort of web-based gateway).
The popularity of these devices is not surprising. Imagine the convenience of a home where you can access lights, heating, the washing machine or the garage door from a centralized point. Devices such as the Amazon Echo or Google Home hubs, can do just that and improve your security and convenience.
Today, we’ll discover what the threats are and why they are dangerous. We will also discuss what devices are posing the greatest risks and then, we’ll discuss what can be done to secure your IoT devices.
IoT convenience has a price
Unfortunately, by virtue of being connected, IoT devices are also left them open to security risks that are we’re just starting to appear. Chester Wisniewski, a researcher at Sophos–a well-known security firm– suggests to “think of any smart home appliance as a tiny computer. If you can access or control it remotely, someone else can too”.
Threats are everywhere. It has been demonstrated by researchers that by hacking into a single device, hackers can often access an entire home network. It could start from a simple hack of an unprotected security camera and end up with personal data being stolen from your family computer.
As another example, the Ring security camera was hacked to not only hijack the camera, but to allow the hacker to speak to an 8-year-old girl claiming to be Santa Clause. We’ve also heard of this Bluetooth-enabled teddy bear that was designed for kids to receive messages from their loved ones but could be hacked and used for surveillance. And these are just a few examples. We’ll never say it enough, threats are everywhere. This is the price we have to pay to get the conveniences from the Internet of Things.
Some important security issues affecting IoT devices
Of course, most IoT devices run limited operating systems and, therefore, shouldn’t be affected by most of today’s threats. Just like there are not many viruses attacking Linux computers, there shouldn’t be any attacking connected devices, shouldn’t there? It is true but that doesn’t mean they are without risks.
IoT devices often have limited capabilities and are not particularly good when it comes to security. That leaves them open to hacking and they could be used as a way to gain access to other networked devices such as your computers. The main IoT threats are botnets, authentication and data privacy. Let’s explain.
The greatest security risk from IoT devices is not necessarily to us. On the contrary, the greatest risk is to have our IoT devices become part of botnet attacks to others.
A botnet is a group of many devices under the control of a hacker. They can be used to virtually bombard a website with enough requests that it will stop working. And similar distributed denial-of-service, or DDOS, attacks can also target service providers and cause service disruptions. The Mirai botnet attack brought down a good part of the American Internet back in 2016.
The number of DDOS attacks rose by 91% last year and this is largely attributed to growing breaches of smart home devices. Researchers have recently found another spread of the Mirai malware that has infected over 100,000 devices within several days.
Here’s a concrete example. A flaw was found by researchers last year in Hue smart lightbulbs from Phillips. The flaw could have allowed attackers to infect a lightbulb with malware that would spread to other similar devices within a few hundred meters with the potential to eventually affect all such lightbulbs within a city. And once the malware has infected numerous devices, they can be used to launch some DDOS attack.
Internet-attached cameras could similarly become infected and used to upload massive amounts of data to the Internet, effectively rendering part of it unusable. And how about simultaneously turning on tens of thousands of air conditioners in a city with a potential of taking down part of the region’s power grid.
Why are IoT devices so vulnerable to botnets?
The problem with IoT devices being so vulnerable stems for the fact that no one even thought they could become a threat. It has only recently surfaced that these devices could be hacked into. And to make things worse, due to their often limited interfacing capabilities, developers may build backdoors right into their devices to ease their development. And with companies always in a rush to push new technology out to the market, these backdoors are often left even after the development cycle is complete. Another reason is that many users of IoT devices don’t change the default passwords to access their devices or use weak ones.
There’s even a particular search engine that makes it incredibly easy for hackers to find many internet-connected devices. And when their users are still using the default password or an easily cracked one, breaching these devices is a piece of cake.
Security software provider Bitdefender’s Cheif Security Researcher Alex Balan said:
“We’re monitoring about 300 botnets that are made up entirely of IoT devices. Hackers are crawling the internet, looking for vulnerable, connected devices. This is the biggest consequence of unsecured smart home devices – a DDOS attack costs real-life money by disrupting internet service.”
Many IoT devices need to authenticate against other devices or systems. When they do, they must be configured to do it securely. IDs and passwords must be carefully crafted and, whenever possible, encryption keys such as SSH could be used to authenticate against other systems. CCTV and DVR devices often have this kind of functionality built-in.
Device SSL certificates could also be added during the manufacturing process of IoT devices. They’d help establish device identity while facilitating the authentication process. Incorporating security into the device from the onset is one of the most important factors IoT manufacturers need to consider. Possible vulnerabilities and flaws must be considered in the design process.
In other instances, device SSL certificates can be issued during the manufacturing process or added later to establish device identity and facilitate the authentication process. The concept of building security into the device from the outset is an important concept for IoT manufacturers to consider. A few examples of such IoT devices that can use SSL certificates are the Amazon Web Services IoT Button, smart meters and some home energy management devices.
And last but not least, authentication should be used for device software and firmware updates as well. This would ensure that updated software can only be retrieved from approved sources. Otherwise, there’s a risk of seeing our devices “updated” with malicious code from an unauthorized source.
Many IoT devices offer different types of monitoring or recording capabilities. Think of network-attached surveillance cameras, for example. Another popular example is the baby monitor or the “nanny cam” some people use to monitor their babysitters. Smart speakers are yet another example.
Bitdefender recently discovered that Nest home security cameras could be remote-controlled from the web and let people see in other people’s homes, moving the cameras and pointing them wherever they wanted. They have even been used to solicit information from children.
Another important privacy concern for many people has to do with hackers using IoT devices as “jump points” to gain access to other devices within their home. This could leave their personal data exposed.
Some devices pose a greater risk
Unbeknownst to you, the security camera or wireless router you’ve been using for years could be some of the leading sources of vulnerabilities in your smart home network. Tom Canning, Vice President of IoT and Devices at Canonical, the company behind Ubuntu Core, an operating system for IoT device says:
“Devices that pose the greatest risks, are those that have been connected and then forgotten about by consumers. The ability to keep these devices updated and secured is critical, but many of them have weak security, weak password solutions, or no way to locate, patch or install OS updates.”
Another risk comes from devices that are not monitored by their manufacturers for software vulnerabilities. It can also come from devices that don’t get timely software updates and patches. And to make matter worse, identifying these devices is not always easy.
As Canning indicated, “Manufacturers should ensure there a reliable mechanism for software fixes to be rolled out – without the need for consumer intervention or special skills. Often times, these smart home devices (or Internet of Things devices) are built, offered on the market and then are ignored once they hit the stores, leaving millions of potentially unpatched devices with undiscovered vulnerabilities in the hands of unsuspecting consumers, just waiting to be hacked.” This is scary!
Securing your IoT devices
Although it might be relatively easy to realize that your computer or smartphone has been hacked, identifying a compromised smart home device is way more difficult. Phones and computers have all sorts of protection and alerting systems which will often block unknown access attempts or at least send out a notification. Connected home appliances, on the other hand, are simply online and programmed to respond to specific events.
As Caning also says, “Internet-of-things devices themselves must be acknowledged as the most critical point at which security should be considered. A device that can’t be hacked doesn’t exist, there are only devices with undiscovered vulnerabilities.”
6 Things you can do to improve your IoT security
There are several things you can do to improve the security of your IoT devices. Here are a few suggestions. Some of them are obvious and you might already be doing them. Just the same, make sure you are taking as many measures as possible to lock down your security.
1. Change the default password of all IoT devices
This is really the most basic precaution you can take. The five most popular passwords (and these include common default passwords for several brands) can access one in 10 smart home devices. Unfortunately, 15% of IoT device owners don’t ever change default passwords. It might be due to an unwieldy interface that makes changing them a pain. But no matter what, make sure you never leave a default password.
2. Choose devices with automatic software updates
It is a known fact that out-of-date software could contain bugs that allow hackers access. Automatic software updates ensure that devices are protected as quickly as possible and that they always run the latest and safest software. Be wary of connected devices that require manual updates. Chances are they’ll end up outdated and vulnerable.
3. Buy well-known brands
It’s not that equipment from larger, well-known companies is inherently more secure. But they will usually be more responsive to bug reports and do a better job of protecting their customers. While the innovative device from a new startup might be exciting, you run the risk of seeing the manufacturer disappear and leave you vulnerable. Otto, for example, was the manufacturer of a $700 smart door lock. After only four months of operations, it shut down, leaving customers with an internet-connected lock that would receive no further software updates.
4. Don’t use sensitive user accounts on IoT devices
While logging into your smart TV with your Facebook credentials can appear practical, it could be risky if your smart TV has a software vulnerability that allows attackers to access its login. A smart plug from Edimax even requested users’ personal email addresses and passwords in the setup process, putting this information at risk in the event of a hack.
You should never add confidential information to a smart device unless you are absolutely positive that it is secure. Of course, some devices might not allow that. The Amazon Fire TV stick, for example, will have your Amazon, Gmail and credit card information. But Amazon is a brand that we can trust. And furthermore, as we’re about to discuss, we can secure our home network to make it harder for someone from the outside to access our device.
5. Pick your smart devices wisely — Do you really need it?
Only buy smart devices that you need. Forget the “cool” factor of having the latest and greatest web-enabled light switch. And when you can avoid it, don’t connect to the Internet things that don’t absolutely need it. For example, suppose you have a smart TV and a modern Xbox or PlayStation game console. Perhaps you could leave your TV not hooked up to the Internet and watch Netflix on your game console?
6. Secure your home network connection
First and foremost, you must change your Internet router password. Even if it seems to be a seemingly random string of characters, it needs to be changed. And you must also make sure your WiFi network is using an encrypted WPA2-PSK connection.
For the best IoT security and privacy, use a VPN
A Virtual Private Network, or VPN, is one of the best tools one can use to increase online security and privacy. A VPN does its magic by encrypting all data in and out of the protected device using strong encryption that makes it impossible to crack. Once the data is encrypted, it is sent to a remote VPN server through a secure virtual tunnel–hence their name.
With a VPN, anyone intercepting your data won’t be able to make any sense of it and will have no clue what the data is and where it is going. And a VPN will also make your devices harder to hack from the outside as the client will often only allow incoming data from the VPN server. And if you want to protect your whole house network, a VPN can be set up on your Internet router, thereby protecting each and every device.
There are way too many VPN providers out there. And they all seem to have similar features. Choosing the best one for your needs can quickly turn into a challenge. Among the main factors one should consider, a fast connection speed will ensure your high-bandwidth applications run smoothly, a strict no-logging policy will further protect your privacy, no usage restrictions will let your devices and systems access any content at full speed and software that can be installed on a router will let you protect your whole home.
These are the best VPNs for IoT networks
NordVPN is our top choice for securing your IoT network, and the best overall VPN on the market. It offers easy installation on most devices as well as routers, granting access to the industry’s most powerful VPN network. This currently numbers more than 5,500 servers in 59 countries, but it’s expanding all the time. What’s more, embedded within that network is a wide array of specialty servers which allow you to optimize performance for use-cases such as torrenting, guarding against DDoS attacks, browsing the Tor network, or even enabling double VPN encryption.
NordVPN has recently rolled out their proprietary NordLynx encryption protocol, which is based on the cutting-edge WireGuard. The enables low-latency connections across its network, which is ideal when you’re serving VPN protection to an entire household via router. NordVPN never keeps logs of your identifiable metadata, enabling true anonymity.
Read our full NordVPN review.
- Optimized servers for unblocking Netflix
- Most VPN servers with different IP addresses
- Allows up to 6 devices to be connected at once
- No logs and encrypted connections for total privacy
- Live chat support is available.
- They can take 30 days to process refunds.
Surfshark is uniquely positioned to serve IoT households. While it, too, offers router installation (with a handy how-to guide on their website and 24/7 customer service to help you make it work), you may find it’s unnecessary. The reason is simple: Surfshark never limits the number of simultaneous connections protected by a single subscription.
Surfshark’s core VPN functionality is intact and updated, with the highly advanced OpenVPN, IKEv2/IPSec, and WireGuard protocols establishing connections protected by 256-AES-GCM encryption to over 3200 servers in 65 countries worldwide. They also offer automatic obfuscation and smart DNS functionality for accessing sites with VPN blocking, as well as IP/DNS/WebRTC leak protection and a kill switch. And like any good VPN, Surfshar maintains a durable no-logging policy.
- Bypass government censorship with NoBorders mode
- Over 800 servers in 50 countries worldwide, and constantly growing
- Wide app availability on desktop, mobile, consoles, smart TVs and more
- Logging policy independently audited and verified
- Helpful 24/7 live chat with an actual human being.
- Growing network doesn’t have same coverage as more mature VPNs
- New-kid-on-the-block status may not instill same trust as larger providers.
Read our full Surfshark review.
A solid choice for VPN installation onto home router is IPVanish. It features a worldwide network of 1,300+ powerful servers, no speed caps or throttling, unlimited bandwidth, unrestricted traffic, and a strict no-logging policy. And for whole home protection, IPVanish provides detailed setup instructions for most well-known router brands and–even better–they also have partnerships with three suppliers offering routers with preinstalled IPVanish client software. IPVanish truly offers excellent performance and impressive value
Read our full IPVanish review.
Securing IoT devices is something we may tend to forget but it certainly is something we should keep in mind. Attacks on these devices could have dire consequences not only for you but for the community in general. There are several steps you can take to ensure your internet-connected devices are as secure a can be. And to keep your home network safe, perhaps you should think about installing a VPN client directly on your Internet router.