Internet of Things

What is "The Internet of Things?" Is it good? Is it bad?

What does a TV, a pacemaker, a smoke detector and a coffee machine have in common?  They all can be connected to the internet! These kind of internet connected devices are often referred to as “smart” devices but in the InfoSec community they are collectively referred to as the Internet of Things (IoT).

IoT devices are everywhere and their numbers are constantly growing. Gartner, a leading research company, estimates that 8.4 billion IoT devices will be in use in 2017. That’s 31% more than in 2016. Moreover, they expect that number to grow to 20.4 billion by 2020!

IoT devices make our lives easier and enhance our entertainment experiences every day, so it’s pretty easy to see why their numbers are growing so rapidly. It seems safe to assume that they will continue to be a part of our world for years to come. But are we using these devices in a safe and secure way?

The fact is, most IoT devices are designed and manufactured with very little or even zero attention on cybersecurity. Unfortunately, these devices can have a huge impact on the security of the networks they connect to and the users on those networks. Like computers, IoT devices can be infected with malware and in many cases they are the easiest point of entry for cybercriminals to exploit when attempting to gain access to a business or home network.

Did you know that the infamous Target credit card breach happened because the attackers got into Target’s computer network through the “connected” thermostats in their stores?  Similar attacks have been demonstrated through coffee makers, smart TVs, web cams and many other IoT devices. The truth is, exploits become increasingly unique exploits every day.

So what can we do to protect ourselves when it comes to IoT devices?

If you don’t need it, don’t connect it

All these devices are cool but the best way to protect yourself is to make sure that you don’t connect smart devices to your network at home or at work if you don’t need them. Any connected device makes your network’s “attack surface” a little bit larger and therefore easier to breach. The “if you don’t need it, don’t connect it” principle applies best when it comes to the work environment. If it isn’t necessary for work-related duties, don’t connect it to the network. It’s also a really good idea to get permission from your employer (preferably in writing) before connecting anything to the network at work. In some cases, it could be a breach of policy and you could be held liable if there are adverse consequences.

Ok, but what if you do need the smart device or… you just want it reeeeeeal bad ‘cause it’s zo kewl?

Change the IoT device’s default settings

IoT devices vary, but they all have settings that you can adjust to make them more secure. Most will have some kind of default administrator username and password that you should change. Learn how to create a strong password. There may also be other settings that will allow you to limit the device to use only select features or possibly to limit the access the device has to the internet. The best thing to do is to Google each device and learn as much as you can about how to operate it securely.

Consider connecting the IoT device to a guest network

Guest networks have built in features to prevent devices from talking to each other over the network to which they are connected. Why would you want to do that, you ask?  Aren’t these devices “smart” because they connect to other devices, you ask?  Well, yes. But actually, many IoT devices that you can control with your phone, for example, don’t actually communicate directly with your phone. They often will communicate with your phone through a server owned by the company that made the IoT device. This server is not going to be on your network. A lot of the time the devices do not need to be able to communicate with other devices in your network. Limiting this kind of cross-talk can be beneficial because it will prevent the spread of malware or the movement of an attacker from device to device within your network. Most Wi-Fi devices will allow you to set up a guest network easily.

Add firewall rules to restrict access

This is kind of an advanced move but if you’re up for it, it can really improve your IoT device security. Figure out what internet “ports” need to be open for your IoT device to operate properly and then close all of the ports that do not need to be open. You may also want to consider adding firewall rules that allow the device to connect only to the servers that they need. A great deal of the known IoT exploits take advantage of the fact that manufacturers leave unnecessary ports open (remember what we said about how security is not a factor when they make these things?). Leaving an unused port open is like leaving a first floor window open in your house. Doesn’t matter if you lock your front door if you’re gonna leave a window wide open! So close ‘em!!