Connected IoT Security
The internet of things is described as physical devices that are connected to the internet, that collect and share data. It has been reported that by 2025 there will be 30.9 billion connected devices. As SAP’s customers are trying to keep up with the marketplace by being competitive and to have an innovative edge over their own competitors, they are trying to develop best in class products. These organizations are managing the security, privacy, and safety of their own customers. Customers understand that as technology emerges, so does the threat landscape.
IoT demands improvements to security features. Nowadays it is not simply that someone stole a social security number, it is operational outage, consumers safety, physical destruction, and reputational damage. Increased laws, regulations and standards are requiring manufactures to develop IoT products with security in mind.
A lot of people who buy these devices and do not disable certain features, hooking the devices directly into their network. From a risk perspective this is very dangerous. Smart TVs that are connected to your WIFI, for example, are not updated frequently while your Amazon Alexa is. If your Smart TV that has not been updated in 3 years, how secure would it be? How many vulnerabilities would it be exposed to?
These devices constantly communicate and send data back to one another (analytics or audio). What happens to that data, how its retained and where does that data go? A lot of companies use it to improve their products but that is not always the case.
Watch out for Terms & Conditions
A lot of people agree to a product’s terms and conditions they may not understand. Some of their exposed data may be very sensitive information. In most privacy agreements you are agreeing for them to capture sensitive data and send it to a place where you have no idea where it is going and who has access to it. Not a lot of people understand these agreements they sign onto to use these devices.
Everyday Devices Can Be Hazardous
That TV that has a has a microphone and has a camera that supports gesture control, it is possible to login to your device through a peer-to-peer network and view it. There are a lot of opportunities for these devices to capture and compromise passwords. You are supposed to segregate and take these devices off your personal network completely. All the pieces and parts inside devices are not frequently patched and updated, so it is important to know how much visibility they have inside your network when they are connected to your network.
Don’t Be Fooled
A lot of devices have default passwords and usernames, changing that is simplest thing to do to keep people from logging in remotely and enabling features on your devices. A lot of wireless routers and cameras are designed to work easily so when people plug them in, they just work but doing that is inherently weak. Most people plug it and in it works. It has default credetials, and everything works so people do not change and companies want to deploy things that work right away. They do not want helpdesk nightmares; they want to make lives easier. Companies use default settings that are friendlier and configured to work when you just plug in and not rely on a user to do much.
Devices not Connected to your Network
Even your IoT devices that aren’t connected to a network are easily accessible. It is easy to pull up a professional tool and see the peer-to-peer network they are trying to build. These devices allow you to connect via Wi-Fi so someone within that proximately can access and configure your network and some of these devices make it impossible to turn off these features. They act like a peer-to-peer node or Wi-Fi you can connect to. The only way would be to remove those modules but most of the time this is not possible. The Bluetooth speaker and soundbar on your TV that you must physically touch for them to sync but through these apps you do not have to physically touch them. People use them as listening devices and connect to these devices to hear. Meant to be user-friendly and use easily. However, within a certain proximity, people can access your cameras, speakers, and other things like that is easy.
Always Buy from a Reputable Source
A lot of counterfeit and other devices that are out there that you must worry about. People buy cameras that are inexpensive, yet they have no security by design. They are made to be manufactured and run cheaply with no design consideration for security. They may be clones that look like a high-end camera but do not have any of security controls and concerns that the device has that they are copying. They maybe physically like the other device but internally different. Some of the counterfeits feel different, they may have some a login portal, with the look and feel of a traditional device. Always buy from reputable source.
Attackers Leverage Technology
Shodan, Binary Edge and other IoT platforms are not free but are affordable. These search engines allow users to search for various technology that is on the internet (webcams, servers, routers etc.). A hacker does not need to scan your network to find these devices, if these devices are connected to the internet the world knows that there is a device out there using these search engines. It does not matter if you are non-technical, how your network is setup and how you have things connected you can be inadvertently be putting cameras on the internet that the world can access through a simple web page.
The best things seen out there have to do with device provisioning. That device does not work until you set it up and configure it. A lot of devices require you to have a mobile app and be local or scanning a barcode on the actual device. For example, your ring alarm you can add a new device, but it requires you to login via multifactor auth and have physical access to the device to scan it in and have it been on your network. In the past it was self-discovery, now you are starting to see more mobile app integration using stronger security practices that require physical access rather than remote access.
It is not just our home networks at risk, imagine an attacker being able to take over an over the air update and reduce a driver’s safety? The ability for nation state attackers to misuse and collect our data, use location tracking and ultimately to shut down and take over infrastructure that controls the power grid and water systems is a real possibility.
The Advantages of IoT
There are a lot of advantages to IoT such as remote medical care, reducing cost for data analytics, critical infrastructure administration ease, environmental benefits, over the air updates (safety), automation of risks and communication enhancements. A lot more responsibility must be on the manufacturer. Ultimately it will increase the cost of the device (which makes it less appealing) though having hardware switches where consumers can disable a microphone or camera with a physical switch as opposed to software that helps makes things more secure. If your TV has a camera and you could disable and cut power to the camera without unplugging the camera would be more secure but in some of the devices there is no way to achieve that. The device will not work as designed or won’t start up if some of things won’t turn on.
A lot of pressure from consumers to manufactures will occur regarding security and the manufactures will take the consumers privacy with the outmost concern and use it as a positive way. But then products will cost more money to consumers because it’s going to cost the manufacture more money to design the products that are more secure. As cyber-attacks increase, consumers that use IoT devices are demanding proof of adequate security before bringing these devices onto their networks. To meet customer and regulatory demands of designing devices with security in mind, manufactures need to do more security testing.
Call to action:
For an everyday home user there are a few recommendations to protect your security and privacy at home.
- Set up a separate network for your IoT devices
- Secure your router
- Change your Router/devices Default names/passwords
- Generate Complex Passwords
- Use multiple Passwords
- Enable two factor authentication
- Ensure all devices are always up to date
- Disable surplus features
- Do not opt into things just to user certain features, read what you are opting into
- Disable your camera/microphone when it is not needed