Every few weeks I seem to read about a security breach at a major corporation – just last month Tesla was “cryptojacked” to mine cryptocurrencies. Companies and individuals typically focus on securing IoT data where it is stored — however, this is only half the battle. Hackers can just as easily, if not more easily, break into your IoT device and use it for cryptojacking or mischief/deviance. Because of this is it’s essential to secure your physical IoT device as well as the data you’re collecting.
So what exactly can be done if your IoT device itself is hacked? Well, a lot. First, the information collected from smart devices can be accessed to find out your habits. For example, the cameras from your security system capture when you leave to go to the gym each Tuesday and when you return. If not properly secured, malware could be installed on your security camera and this information could be used to find an ideal time to break in. For businesses, many times there are cameras in board rooms or labs. If these devices were to be hacked, footage or audio from confidential meetings could be sold to a competitor, used for insider trading, publicly released or held for ransom. Non-camera smart devices can also be hacked and used maliciously. If you have a smart lock on your front door or car, hackers could lock you out until you pay a ransom. Also, if you have a smart light bulb and hackers break into it, they could remotely program it to turn it on and off hundreds of times within a few seconds. This would cause the bulb to explode and potentially start a fire.
Because of the severity of some of these examples, some people have called for regulation on IoT devices. However, this probably isn’t the right answer. Regulation could lead to layers of unnecessary security that would increase the cost of a product and also make the device harder to use. Instead it would be much better for IoT users if they started using these two basic but impactful measures to protect their IoT devices.
The most basic yet extremely effective way to protect data is by changing the default password on your IoT device. According to Positive Technologies, a security consulting firm, 15% of IoT users don’t change the default password when setting up their device (http://blog.ptsecurity.com/2017/06/practical-ways-to-misuse-router.html). This same research firm found that the username/password combos of support/support, admin/admin, admin/0000, user/user and root/12345 would get them access to about 10% of all connected consumer devices; That doesn’t sound like a lot until you translate it into real numbers — according to Gartner there are about 5.2 billion connected consumer devices – 10% of that is 529 million devices that are essentially unsecured and susceptible to an easy hack. https://www.gartner.com/newsroom/id/3598917.
For extra security, IoT device manufacturers should also give users the ability to change the default admin username. If you think about it, by leaving the username as admin you’re reducing the work of the hacker by 50% in a brute force attack. If your IoT device gives you this option – take it!
Additionally, in some situations consumers may want to think about installing a two-factor authentication like a fingerprint scan and pin. This may be unnecessary or cumbersome in some situations. However, in some situations, like on your car, this may be a good idea.
Another way to protect your device is to ensure your router is still cutting it by doing a thorough router audit. Most people purchase a router, set it up, connect their devices to it and forget about it until it breaks. However, most routers purchased over 5 years ago, may need to be upgraded to support the multiple phones, Rokus, tablets, smartwatches, thermostats, computers, TVs, baby monitors, etc that are now connected in most homes. Also, most modern routers allow you to group devices together on separate sub-networks. For example, all security cameras can be on one network behind a very strong firewall while computers that need to transmit data externally can be on another slightly less secure network. Doing this can also limit the damage if you are hacked. Another feature to check when doing your audit is the router’s firmware or operating system. Make sure has the latest version installed and is scheduled to be regularly updated. If the firmware is not updated, important security patches could be left open, thus inviting hackers to sneak into your network. In addition to this, ensure that you’re encrypting data. According to a survey conducted by ESET on 12,000 routers (https://www.welivesecurity.com/2016/10/19/least-15-home-routers-unsecure/) , 20% were running on unsecured pathways such as TELNET. Ensure that all data that is being transferred is running on a secure service like HTTPS. Finally, make sure that your password is strong and that you’ve changed your username from “Admin” to something less intuitive.
These two tips may seem like common sense, however, they are effective and fast ways to secure your IoT devices without breaking the bank!
For more information on creating a secure IoT solution, please visit our website or email us at firstname.lastname@example.org
Like our blog?
Join our mailing list to find out when our latest and greatest content is published.