More than 8.4 billion internet connected devices are estimated to be available in 2017, and Gartner estimates that number will reach 20.4 billion by 2020. In 2017, the consumer sector represents 63 percent of all devices in use, or 5.2 billion units.
Security researchers have long warned of the dangers of smart - yet inherently vulnerable - smart sockets or smart lightbulbs and other home network-attached IoT devices. Users risk losing much more than just access to the device itself. They also risk affecting other devices sharing the same network. Leveraging a single vulnerability in a smart TV or any smart device, attackers could move laterally across home networks to compromise laptops, mobile devices, and even personal and private data stored on network attacked storages sharing the same home network as the vulnerable IoT device.
Securing your Smart TV
Smart TVs are now mainstream, making their way into every household. While the average user might not look at it as a “smart device,” the TV has internet connectivity and an operating system and it’s just as likely to be exposed to threats as a smart phone or tablet. With ransomware infections hitting smart TVs, the average user needs to not only install a security solution, but also perform regular firmware updates to make sure no known vulnerability remains unpatched.
With 6 out of 10 US users reporting no security option on their smart TVs, this device is among the top 5 household devices – besides smartphone, tablet, laptop and desktop - that is internet connected. Sporting browsing capabilities and allowing installation of applications from both trusted and untrusted sources, users are strongly encouraged to install a security solution designed for smart TVs running Android.
IP Cameras and Baby Monitors
While smart TVs support security software, other smart devices – webcams, baby monitors, IP cameras – allow no such option. Security researchers have often found that attackers could easily gain remote access to them by leveraging internet-facing ports and services (e.g. telnet, SSH) or by exploiting unpatched vulnerabilities in their firmware.
Some of these devices often run outdated firmware versions and users are never notified of the existence of newer ones that fix serious security issues. Plus, there’s also the risk that the cloud service provider responsible for storing your video feeds is either not focused on data protection and privacy or he could simply not use encryption both in-transit and at-rest. The latter would be unfortunate, as anyone performing a man-in-the-middle attack could access what your camera is recording or even seize control of it and start talking to your children.
It’s usually up to individual users to ensure to change their default passwords as soon as they’re purchased, block remote access ports from their routers, and even connect them to separate Wi-Fi networks so that no critical devices are affected in case of a vulnerability.
Smart Light Bulbs and Switches
Today’s smart home is also comprised of smart light bulbs and light switches that require Wi-Fi connectivity to allow remote control. Facing the same problems as other smart devices – in terms of lacking security / firmware updates and remote connection vulnerabilities, the average user is left with only a handful of security options. One is to research the security features of such devices and make sure manufacturers are trusted and have a policy for fixing reported security issues. It’s also highly recommended to change default authentication passwords upon purchase, as there are online search engines – Shodan for example – that crawl the internet for IoT devices with default credentials, allowing attackers to easily remotely access them.
Why All the Fuss About IoT Security?
Traditionally, security has been all about laptops and smart phones as their adoption and market share turned them into ripe targets for attackers. However, since IoT devices make their way into every home while sporting little to no security features, they become easily exploitable gateways for attackers to leverage into compromising the entire home network, not just a single device. Traditional security mechanisms don’t apply to IoT devices as they don’t support any additional software installed, as other operating systems do.
Consequently, IoT security should include two distinctive and powerful technologies that offer both anti-malware scanning capabilities and IoT vulnerability assessment. Sitting at the gateway level, an IoT security solution should make sure that traffic entering (or exiting) your network is not malicious or malformed, blocking malware and phishing pages in traffic, ensuring that they don’t reach the target device. The Vulnerability Assessment module should regularly probe devices connected to the network for outdated, vulnerable firmware, as well as misconfigurations (e.g. open Telnet or SSH ports that are reachable via Internet, poor passwords, known exploits against the device, etc.). Once the Vulnerability Assessment module finishes scanning local devices, it should display a comprehensive report with the identified flaws (if any) and outline steps to be taken to mitigate them.
Practical and Hands-on IoT Security Tips
1. Research! Research! Research!
Before purchasing any household IoT device, research its capabilities, the way it handles the data it collects, and whether the manufacturer has a strict security and firmware update policy in case vulnerabilities are publicly disclosed. Besides being practical or offering interesting features, an IoT device needs to first and foremost be secure and handle your private data with care.
2. Change Default Passwords
The first thing everyone should do when connecting a new IoT device to their home network is change its default password and replace it with one that’s at least 8 to 16 characters long and contains uppercase and lowercase letters, numbers and special characters. There’s an IoT search engine out there – Shodan – that specifically looks for internet-facing smart things that have default or no passwords.
3. Network Segregation
It might seem like a bit of a hassle, but setting up a separate Wi-Fi network just for IoT devices makes a lot of sense in terms of security. If one vulnerable device is breached and remotely controlled, at least other mission-critical devices around the house will not be affected or compromised (e.g. laptops, network attached storages, etc.)
4. Firmware Updates
Just as you look for and install security and operating system updates on your laptops or mobile devices, the same should hold true for IoTs. Sometimes manufactures push security updates and fixes that prevent attackers from easily taking over your devices and using them against you.
Bogdan Botezatu is Senior E-Threat Analyst at Bitdefender