Today, a segment will air on Crime Watch Daily where Tripwire Senior Security Researcher Craig Young and I reveal on camera how vulnerable smart homes can be when not properly secured.
We show firsthand that the key weaknesses in most smart homes are a combination of insecure networks and default configurations, including systems that installers may say are “unhackable.”
So, what exactly is an IoT device?
An IoT (Internet of Things) device is a generic term that defines anything we would not traditionally (up until recently) see connected to the Internet. This can range from thermostats and HVAC systems to wearables (such as fitness devices and watches), medical devices and home security systems, including IP cameras and baby monitors.
In office environments, this also includes things like printers, televisions, projectors and smart appliances that may be found in an office whether knowingly connected to the network or not.
These devices may connect directly to the Internet themselves through your Wi-Fi router, or could connect to other devices using a number of other protocols. Sometimes these devices may themselves function as a hotspot and connect to other devices within your home automatically, or via configuration.
Some of the key risks associated with these devices in both the home and office include:
- Lack of proper security implementation or features in devices
- Difficulties patching vulnerabilities in these devices, if security patches are provided at all
- General lack of security awareness amongst consumers and business users regarding these new devices
- Exploitation of UPnP (Universal Plug and Play) found in many IoT devices
- Compromise devices using default passwords easily found on the Internet
- Insecure password or use of proper encryption on Wi-Fi networks where devices are connected
Securing IoT at Home and Office
Securing these new devices on our home and office networks requires more vigilance and a better understanding of how these devices are configured, as well as security features that the devices provide.
Here are some key recommendations to help make these devices and your network more secure:
- When selecting an IoT device, research the brand and model to see if the company is reputable and has a history of providing secure devices.
- Be aware of the network capabilities of devices you bring into your home. Identify via the manual whether the devices have an open Wi-Fi connection and/or default passwords. Ensure the passwords are changed and that the device is connecting to a secure network.
- For medical devices patients should be educated regarding the device capabilities and risks, particularly if the device can be accessed remotely.
- Disable UPnP (Universal Plug and Play) on all devices, as well as routers on your network.
- Segment IoT devices on their own network, if possible.
- Ensure that the Wi-Fi network devices are connecting to is secure and following best practices for passwords.
- Never use dictionary words, pet names, phone numbers or other known information in passwords – they should be at least 16 characters long and contain upper- and lower-case letters, numbers and special characters.