This Christmas was a record year in tech shopping seasons in history, with a whopping $34 billion spent on consumer electronic gifts. A large portion of these devices are Internet of Things (IoT) gadgets and, after being unwrapped, they have been scattered across our homes as mobile-controllable lamps, smart TVs, connected fridges, coffee makers and motion detection sensors, among others.
IoT surely gives us an unprecedented ability to sense and control our environments and help us to increase utility while reducing costs and energy consumption. But while IoT gadgets have the power to make our homes smarter, they also have the potential to make them less safe by introducing new attack vectors for hackers to target us and make our lives a living hell.
The following safeguards, which draw on the efforts made by the Online Trust Alliance, will help you make the most out of IoT’s utility while reducing the privacy and security tradeoff and avoid being the next victim of a light-bulb that inadvertently gives away Wi-Fi networks passwords, or worse, a smart fridge that gives away Gmail login credentials.
Updates, updates, and more updates
The first rule in cybersecurity is to always look for and install updates. This has become de-facto behavior in PC and laptop owners, and to some lesser extent, smartphone and tablet wielders. Unfortunately, while the IoT industry is still taking its baby steps, device update mechanisms and support leaves a lot to desire. This necessitates extra precaution on your part.
- Check for known vulnerabilities: Before installing any new IoT device in your home and allowing it to silently connect to the internet through your home router, do a little research to see if it has any known vulnerabilities. Googling the name of your device plus the word “vulnerabilities” should be enough if there’s anything relevant.
- Make sure you have the latest updates installed: If the device type does have vulnerabilities, verify that the one you received is installed with the latest version of the manufacturer’s firmware, software or OS. This is usually the case if the purchase has been made by a direct order from the manufacturer.
- Protect yourself against future security holes: Check on the manufacturer’s update policy and record, and make sure it continues support for your device and promises to deliver regular updates. If possible, opt for automatic updates, but make sure that your personalization, privacy and security settings have not been altered or reset after patch installations.
- Register for update notifications: All manufacturers should have a means to inform you of software updates for their products. Vendor websites usually have a page for this purpose, where you can register to receive notifications on security updates.
Control your devices’ connectivity settings
Since individual IoT devices contain little or no sensitive data, consumers make the mistake of leaving them unguarded. But as has been manifested time and again, any weakly protected device can allow hackers to infiltrate and move laterally across your network, eventually obtaining access to more critical targets. Therefore, you should never underestimate even the most insignificant of your IoT devices, especially since they are constantly online.
- Override default settings: One of the most common mistakes consumers make is to leave their devices with default factory settings after setting them up. Never use default username and passwords to secure your device’s administration interface, and change them regularly. This reduces the threat of the device being hacked through brute force and password dictionary attacks. Also don’t use the same password that you’ve set on a critical email or social media account in order to prevent a possible IoT hack from propagating to other accounts you own.
- Disable unneeded connectivity features: Your device might offer several different access mechanisms in order to maximize flexibility. You should only enable those that are absolutely necessary. Be especially wary of remote access features. Also, when installing the app that is associated with the device, carefully review any permissions it requests, such as camera, microphone, location tracking or administrative privileges.
- Turn off devices during long leaves: If you’re going to be away for a long period, there’s no need for all your devices to be connected. You might want to leave some of your motion detection and open/close sensors on in order to warn you about unwarranted activity in your home, but most other appliances should be turned off and disconnected in order to reduce your home network’s attack surface.
- Isolate devices as much as possible: Where applicable, prefer wired connections to Wi-Fi, as it is less prone to be tapped and eavesdropped by intruders. Also, if your home router has a guest network, use it to isolate your devices from other networks.
Source credit: Digital Icon Pack by Seth Eckert
Setup a strong perimeter
As a general rule, it is always a good practice to setup your defenses as far as possible and make it difficult for hackers to reach the devices themselves. This can be achieved through the application of tried-and-tested security measures on your home network.
- Use firewalls to secure your network: All internet-connected devices should be guarded by a firewall in order to prevent unauthorized access. Firewalls can be setup at router level and in some cases at device level, especially devices that run OSes such as Linux.
- Use a VPN to secure your outbound traffic: Even encrypted communications can give away ample information, such as daily habits and living patterns, to say the least. Moreover, many IoT devices have been found to have severe vulnerabilities in their encryption keys and technologies. Channeling your home traffic through a VPN can go a long way to improve security and prevent attacks. Experts at security firm LGS innovative have published a comprehensive report in this regard.
- Invest in an intrusion detection device: Although router firewalls can shoulder a large part of the network security problem, but once a device gets breached and installed with a malware, finding it can become a daunting task. To overcome this weakness, you can use one of several new smartintrusion-detection devices that monitor and scrutinize your network traffic to detect and isolate devices that are behaving suspiciously and might have been compromised.
Protect your privacy
In many cases, a consumer’s own carelessness can be more detrimental than the most sophisticated hacks, and can give away data that might not be obtained by other means. Make sure you know how your devices and their manufacturers behave, and how they collect, store and share your data.
- Reset your device when disposing it: If you ever decide to sell your device or give it away to someone else (or even dispose of it), make sure you reset it to factory settings before doing so. Also clear any saved data you might have on your device before passing it on to the next person. This is a scenario that can happen a lot with IoT devices, since many connected appliances are sold along with homes.
- Review the vendor’s data collection policies: Many manufacturers have cloud services that collect and analyze device behavior data to optimize and improve service quality and consumer experience. Make sure you review the vendor’s policy for collecting data and sharing it with third parties. Also, if possible, have a look at the vendor’s cloud security insurance policy and whether they have any safeguards to protect customer data against data breaches. All honest manufacturers should give consumers the ability to opt out of data collection programs.
- Disable device camera and microphone: Many devices have built-in microphones and cameras. If you’re not actively or intentionally using them, disable them. If you can’t, at least turn the camera to face the wall instead to prevent accidental or unauthorized recording of footage from your private life.