Understanding how to secure your IoT devices might be more important than you think. Smart TVs, intelligent bathroom fixtures, connected fridges–it seems like today, everything and anything can be connected. So much so that a new term had to be invented: the Internet of Things. As of 2018, it is estimated that some 40% of the Americans use some form of smart home technology.
What makes a device smart? It has nothing to do with intelligence, real or artificial. What we refer to as smart devices are all these things that connect to your local network wither through WiFi or sometimes Bluetooth and that can be controlled remotely, often through some sort of web-based gateway.
The popularity of these devices is not surprising. Imagine the convenience of a home where you can access lights, heating, the washing machine or the garage door from a centralized point. Devices such as the Amazon Echo or Google Home hubs, can do just that and improve your security and convenience.
Today, we’ll discover what the threats are and why they are dangerous. We will also discuss what devices are posing the greatest risks and then, we’ll discuss what can be done to secure your IoT devices.
- 1 Everything Has A Price
- 2 Some Important Security Issues Affecting IoT Devices
- 3 Some Devices Pose a Greater Risk
- 4 What Can Be Done To Improve Security
- 5 For The Best Security And Privacy, Use A VPN
- 6 In Conclusion
Everything Has A Price
Unfortunately, by virtue of being connected, IoT devices are also left them open to security risks that are we’re just starting to appear. Chester Wisniewski, a researcher at Sophos–a well-known security firm– suggests to “think of any smart home appliance as a tiny computer. If you can access or control it remotely, someone else can too”.
Threats are everywhere. It has been demonstrated by researchers that by hacking into a single device, hackers can often access an entire home network. It could start from a simple hack of an unprotected security camera and end up with some personal data being stolen from your computer.
As another example, a bug was found last year in the Nest security system. It allowed a hacker to turn cameras on and off. We’ve also heard of this Bluetooth-enable teddy bear that was designed for kids to receive messages from their loved ones but could be hacked and used for surveillance. And these are just a few examples. We’ll never say it enough, threats are everywhere. This is the price we have to pay to get the conveniences from the Internet of Things.
Some Important Security Issues Affecting IoT Devices
Of course, most IoT devices run limited operating systems and, therefore, shouldn’t be affected by most of today’s threats. Just like there are not many viruses attacking Linux computers, there shouldn’t be any attacking connected devices, shouldn’t there? It is true but that doesn’t mean they are without risks.
IoT devices often have limited capabilities and are not particularly good when it comes to security. That leaves them open to hacking and they could be used as a way to gain access to other networked devices such as your computers. The main IoT threats are botnets, authentication and data privacy. Let’s explain.
The greatest security risk from IoT devices is not necessarily to us. On the contrary, the greatest risk is to have our IoT devices become part of botnet attacks to others.
A botnet is a group of many devices under the control of a hacker. They can be used to virtually bombard a website with enough requests that it will stop working. And similar distributed denial-of-service, or DDOS, attacks can also target service providers and cause service disruptions. The Mirai botnet attack brought down a good part of the American Internet back in 2016.
The number of DDOS attacks rose by 91% last year and this is largely attributed to growing breaches of smart home devices. Researchers have recently found another spread of the Mirai malware that has infected over 100,000 devices within several days.
Here’s a concrete example. A flaw was found by researchers last year in Hue smart lightbulbs from Phillips. The flaw could have allowed attackers to infect a lightbulb with malware that would spread to other similar devices within a few hundred meters with the potential to eventually affect all such lightbulbs within a city. And once the malware has infected numerous devices, they can be used to launch some DDOS attack.
Internet-attached cameras could similarly become infected and used to upload massive amounts of data to the Internet, effectively rendering part of it unusable. And how about simultaneously turning on tens of thousands of air conditioners in a city with a potential of taking down part of the region’s power grid.
Why Are IoT Devices So Vulnerable To Botnets?
The problem with IoT devices being so vulnerable stems for the fact that no one even thought they could become a threat. It has only recently surfaced that these devices could be hacked into. And to make things worse, due to their often limited interfacing capabilities, developers may build backdoors right into their devices to ease their development. And with companies always in a rush to push new technology out to the market, these backdoors are often left even after the development cycle is complete. Another reason is that many users of IoT devices don’t change the default passwords to access their devices or use weak ones.
There’s even a particular search engine that makes it incredibly easy for hackers to find many internet-connected devices. And when their users are still using the default password or an easily cracked one, breaching these devices is a piece of cake.
Security software provider Bitdefender’s Cheif Security Researcher Alex Balan said:
“We’re monitoring about 300 botnets that are made up entirely of IoT devices. Hackers are crawling the internet, looking for vulnerable, connected devices. This is the biggest consequence of unsecured smart home devices – a DDOS attack costs real-life money by disrupting internet service.”
Many IoT devices need to authenticate against other devices or systems. When they do, they must be configured to do it securely. IDs and passwords must be carefully crafted and, whenever possible, encryption keys such as SSH could be used to authenticate against other systems. CCTV and DVR devices often have this kind of functionality built-in.
Device SSL certificates could also be added during the manufacturing process of IoT devices. They’d help establish device identity while facilitating the authentication process. Incorporating security into the device from the onset is one of the most important factors IoT manufacturers need to consider. Possible vulnerabilities and flaws must be considered in the design process.
In other instances, device SSL certificates can be issued during the manufacturing process or added later to establish device identity and facilitate the authentication process. The concept of building security into the device from the outset is an important concept for IoT manufacturers to consider. A few examples of such IoT devices that can use SSL certificates are the Amazon Web Services IoT Button, smart meters and some home energy management devices.
And last but not least, authentication should be used for device software and firmware updates as well. This would ensure that updated software can only be retrieved from approved sources. Otherwise, there’s a risk of seeing our devices “updated” with malicious code from an unauthorized source.
Many IoT devices offer different types of monitoring or recording capabilities. Think of network-attached surveillance cameras, for example. Another popular example is the baby monitor or the “nanny cam” some people use to monitor their babysitters. Smart speakers are yet another example.
A brand of cameras was recently discovered by Bitdefender that could be remote-controlled from the web and let people see in other people’s homes, move the cameras and point them wherever they wanted. And it is believed that there are some 300,000 such cameras with this flaw worldwide.
Another important privacy concern for many people has to do with hackers using IoT devices as “jump points” to gain access to other devices within their home. This could leave their personal data exposed.
Some Devices Pose a Greater Risk
Unbeknownst to you, the security camera or wireless router you’ve been using for years could be some of the leading sources of vulnerabilities in your smart home network. Tom Canning, Vice President of IoT and Devices at Canonical, the company behind Ubuntu Core, an operating system for IoT device says:
“Devices that pose the greatest risks, are those that have been connected and then forgotten about by consumers. The ability to keep these devices updated and secured is critical, but many of them have weak security, weak password solutions, or no way to locate, patch or install OS updates.”
Another risk comes from devices that are not monitored by their manufacturers for software vulnerabilities. It can also come from devices that don’t get timely software updates and patches. And to make matter worse, identifying these devices is not always easy.
As Canning indicated, “Manufacturers should ensure there a reliable mechanism for software fixes to be rolled out – without the need for consumer intervention or special skills. Often times, these smart home devices (or Internet of Things devices) are built, offered on the market and then are ignored once they hit the stores, leaving millions of potentially unpatched devices with undiscovered vulnerabilities in the hands of unsuspecting consumers, just waiting to be hacked.” This is scary!
Securing Your IoT Devices
Although it might be relatively easy to realize that your computer or smartphone has been hacked, identifying a compromised smart home device is way more difficult. Phones and computers have all sorts of protection and alerting systems which will often block unknown access attempts or at least send out a notification. Connected home appliances, on the other hand, are simply online and programmed to respond to specific events.
As Caning also says, “Internet-of-things devices themselves must be acknowledged as the most critical point at which security should be considered. A device that can’t be hacked doesn’t exist, there are only devices with undiscovered vulnerabilities.”
What Can Be Done To Improve Security
There are several things you can do to improve the security of your IoT devices. Here are a few suggestions. Some of them are obvious and you might already be doing them. Just the same, make sure you are taking as many measures as possible to lock down your security.
Change The Default Password Of All IoT Devices
This is really the most basic precaution you can take. The five most popular passwords (and these include common default passwords for several brands) can access one in 10 smart home devices. Unfortunately, 15% of IoT device owners don’t ever change default passwords. It might be due to an unwieldy interface that makes changing them a pain. But no matter what, make sure you never leave a default password.
Choose Devices With Automatic Software Updates
It is a known fact that out-of-date software could contain bugs that allow hackers access. Automatic software updates ensure that devices are protected as quickly as possible and that they always run the latest and safest software. Be wary of connected devices that require manual updates. Chances are they’ll end up outdated and vulnerable.
Choose Well-known Brands
It’s not that equipment from larger, well-known companies is inherently more secure. But they will usually be more responsive to bug reports and do a better job of protecting their customers. While the innovative device from a new startup might be exciting, you run the risk of seeing the manufacturer disappear and leave you vulnerable. Otto, for example, was the manufacturer of a $700 smart door lock. After only four months of operations, it shut down, leaving customers with an internet-connected lock that would receive no further software updates.
Don’t Use Sensitive User Accounts On IoT Devices
While logging into your smart TV with your Facebook credentials can appear practical, it could be risky if your smart TV has a software vulnerability that allows attackers to access its login. A smart plug from Edimax even requested users’ personal email addresses and passwords in the setup process, putting this information at risk in the event of a hack.
You should never add confidential information to a smart device unless you are absolutely positive that it is secure. Of course, some devices might not allow that. The Amazon Fire TV stick, for example, will have your Amazon, Gmail and credit card information. But Amazon is a brand that we can trust. And furthermore, as we’re about to discuss, we can secure our home network to make it harder for someone from the outside to access our device.
Choose Your Smart Devices Wisely — Do You Really Need It?
Only buy smart devices that you need. Forget the “cool” factor of having the latest and greatest web-enabled light switch. And when you can avoid it, don’t connect to the Internet things that don’t absolutely need it. For example, suppose you have a smart TV and a modern Xbox or PlayStation game console. Perhaps you could leave your TV not hooked up to the Internet and watch Netflix on your game console?
Secure Your Home Network Connection
First and foremost, you must change your Internet router password. Even if it seems to be a seemingly random string of characters, it needs to be changed. And you must also make sure your WiFi network is using an encrypted WPA2-PSK connection.
For The Best Security And Privacy, Use A VPN
A Virtual Private Network, or VPN, is one of the best tools one can use to increase online security and privacy. A VPN does its magic by encrypting all data in and out of the protected device using strong encryption that makes it impossible to crack. Once the data is encrypted, it is sent to a remote VPN server through a secure virtual tunnel–hence their name.
With a VPN, anyone intercepting your data won’t be able to make any sense of it and will have no clue what the data is and where it is going. And a VPN will also make your devices harder to hack from the outside as the client will often only allow incoming data from the VPN server. And if you want to protect your whole house network, a VPN can be set up on your Internet router, thereby protecting each and every device.
There are way too many VPN providers out there. And they all seem to have similar features. Choosing the best one for your needs can quickly turn into a challenge. Among the main factors one should consider, a fast connection speed will ensure your high-bandwidth applications run smoothly, a strict no-logging policy will further protect your privacy, no usage restrictions will let your devices and systems access any content at full speed and software that can be installed on a router will let you protect your whole home.
The Best VPN For Whole-house Coverage – IPVanish
We’ve been testing many VPN providers and the one we’d recommend for installing on a home router is IPVanish. It features a worldwide network of hundreds of powerful servers, no speed cap or throttling, unlimited bandwidth, unrestricted traffic, and a strict no-logging policy. And for whole home protection, IPVanish provides detailed setup instructions for most well-known router brands and–even better–they also have partnerships with three suppliers offering routers with preinstalled IPVanish client software. IPVanish truly offers excellent performance and impressive value
Securing IoT devices is something we may tend to forget but it certainly is something we should keep in mind. Attacks on these devices could have dire consequences not only for you but for the community in general. There are several steps you can take to ensure your internet-connected devices are as secure a can be. And to keep your home network safe, perhaps you should think about installing a VPN client directly on your Internet router.