The Internet of Things (IoT) adds so much to your home comforts. By using smart devices which connect to the internet, you can make your coffee ready for when you get up and get your oven to heat your dinner up for when you get home. You can control the temperature and air quality, lock the doors, and even keep an eye on the house while you're away all from your smartphone.
However, IoT also means that your fridge, coffee machine, heating system, and car all store personal data. In fact, every connected IoT device is a data collector. So, unless you want other people to know all about the way you live your life, you'll need to secure each device. You'll need to secure your network, but you'll also need to ensure there are no weak links in the network by checking that each individual device is secure.
There are over 7 billion IoT devices out in the world today, and they present a tempting target for cybercriminals. If your home is wired, you need to protect it, and this article will explain how.
Potential risks to your IoT smart home
There's not yet any global organization to define IoT device security standards. There's relatively little regulation applied to IoT devices; the authorities are concerned that your fridge is electrically safe and energy-efficient, but they haven't gotten around to worrying about whether it's doing a good job of protecting your privacy.
Because the Internet of Things is growing so fast, there's a lot of pressure on manufacturers to take advantage of that growth by getting as many products on the market as they can. Some devices are rushed out without paying adequate attention to IoT security issues. When devices are superseded by new products, manufacturers don't always make much effort to support them with security patches. That's a stark contrast to computer hardware and software, where you'd expect regular updates to address security vulnerabilities and improve operations.
But hackers are always busy and new threats are always emerging, so a five-year-old security camera or even a six-month-old smart TV could have a well-known vulnerability. That means even quite inexperienced hackers can find an exploit on the internet that they can then use to get into your network.
There have already been several cases of hackers managing to control webcams, cameras on laptops, and baby monitors. But a cybercriminal could also:
- access your heating and lighting systems to find out if you're away from home.
- access your passwords or even your bank account through information you shared with a digital assistant like Amazon Echo through voice commands.
- get into your network through an IoT device and launch a ransomware attack making your IoT smart home unusable unless you pay up.
- use your devices as bots to deliver computing power for a DDOS attack, click fraud, or password cracking, or to send out spam or mine cryptocurrency.
The scale of botnets can be devastating. The Mirai botnet hacked into IoT devices as long ago as 2016 and managed to create a swarm of 100,000 hijacked IoT devices. Each device might have been weak in computing power, but put 100,000 together, and you've got some serious resources to work with.
Mirai used a classic vulnerability: the fact that owners had left the default factory usernames and passwords on the devices, making them easy to take over. It then launched a DDOS attack that brought down domain registration services provider Dyn.
Mirai's original creators were tracked down and put behind bars. But Mirai is still mutating — and it's still a threat.
Securing IoT networks and devices
First off, lock the front door - that is, secure your router. If a hacker gets control of your router, they'll be able to control your network and that means they can control any device in your house, from the door locks to your computer.
- Change the name and password of the router. Don't use default settings. Routers are often named after the manufacturer or the network that you're using - that gives hackers an important clue to how to get access. It's also a good idea to avoid using your own name, or your address - again, useful clues to someone who's trying to get into your network.
- Use strong passwords, that is, random passwords containing a mix of letters, characters and symbols.
- Avoid using public Wi-Fi when you're accessing your IoT network through your laptop or smartphone. It's relatively easy to break into the kinds of Wi-Fi networks offered in many coffee shops and hotels. Use a Virtual Private Network (VPN) like Kaspersky's VPN Secure Connection. A VPN gives you a private, encrypted gateway to the internet and stops eavesdroppers from being able to intercept your communications.
- Start using guest networks. It's a great idea to use a guest network for visitors who want to use your Wi-Fi at home; it doesn't give them access to the main network or to your email and other accounts. You can also use a guest network for your IoT devices. That means even if a hacker compromises one of your devices, they will be stuck in the guest network — they won't be able to get control of your main internet access.
- Use a strong encryption method like WPA for Wi-Fi access.
- Take special care to secure the top-level control of your IoT network. It's not a bad idea to use two-factor authentication, using biometrics, a pass card or a dongle to ensure that a hacker won't be able to produce both proofs of identity required.
Once the network and access methods are secure, you need to put some work into securing each individual IoT device. Again, changing the default username and password is your best first move. If a device doesn't let you do this, it's a glaring hole in your defenses — buy a different device. In fact, when you're buying smart home devices, you should take IoT device security issues into account when you're making a purchase decision, rather than just looking at the functionality.
Each of your IoT devices also needs a different password. Hackers typically break into a network from one device and then try to expand their control to other devices. If all your IoT fridges and coffee makers have different names from the heating controls and the door locks, a hacker will find expanding their footprint in your IoT network next to impossible.
Now check the default security and privacy settings. If there's something you don't want the device to be able to do, or to record, you may be able to disable it. You may decide that you want the microphones on some devices switched off, for instance, if you don't want to use voice control on them. That will stop anyone listening in on your conversations.
Disabling features, you don't want reduces the security risk of leaving remote access or voice control open. You may decide that some devices aren't worth connecting. If internet connectivity doesn't add a positive benefit, you can simply turn it off.
There's another feature that you should turn off, and that's Universal Plug and Play (UPnP). This is intended to help devices automatically discover each other, a bit like Plug and Play on a PC which can automatically install peripherals, such as printers and external drives. But you're probably not going to move your devices around a whole lot, so UPnP probably isn't very useful. On the other hand, it's a big security risk, as vulnerabilities in the protocol can help hackers discover the devices from outside the network.
Maintaining your IoT devices
Your smart home will save you some time and effort. But you need to reserve a bit of time for maintaining it properly as part of your IoT device security strategy.
Every device needs its firmware kept up to date. When you're installing devices, it's a good idea to bookmark the manufacturer's web page so you can easily check for updates to the device's firmware and software. If you're lucky, there will be an email alert or even automatic updates; if not, you'll have to search.
Be careful what you connect - the dangers of smart speakers
Some IoT devices are quite limited and only connect to your control network. Others are considerably smarter. And the smarter they are, the bigger the risk.
So be careful what you connect. Smart speakers are a particular security risk. For example, if your security cameras and locks are connected to your voice assistant, an intruder could simply yell "Okay Google, open the doors" and get access to the house. If that sounds unrealistic, consider that Burger King ran an ad that deliberately activated Google Home speakers and prompted them to tell their owners about the Whopper Burger. Google eventually blocked the ad.
Though annoying, the BK exploit was harmless. But it highlights a vulnerability that is real — and one that could be used for criminal purposes.
Hacks have also been discovered to enable the speakers to continue listening after a question has been asked, recording conversations to deliver it to an eavesdropper. So, it may be a good idea to keep your security system on a separate network to which your voice assistant doesn't have access. You might also want to keep access to your bank account well away from the device.
Remember that smart speakers and other devices store data about you and your personal behavior. It's worth tracking down where this data is stored and the purposes for which it can be used (the service should come with a privacy statement). It's also worth knowing how to delete data that you don't want to be kept.
With Amazon and Google, you can delete the data easily. For Amazon, use your Alexa app to go to Settings and look at History to see what's on file; you can purge individual requests or just delete all of them. Google Assistant recordings can be inspected and deleted through your Google Account. It might well be a good idea to run a purge on a regular basis.
Smart TVs can also hold a lot of data about what you're watching. In 2017, TV maker Vizio was fined by the FTC for tracking TV owners' viewing habits and then selling the information to advertisers. It's easy enough to hack some smart TVs, too. So, if Vizio was collecting that information, it's quite possible that hackers could also have gotten hold of the data. Now that TVs and internet networks intersect, smart TVs could also pose a threat to your data privacy on other accounts. Make sure you read the manual, as you may be able to turn off tracking. You should also consider whether isolating the TV to its own network is a good idea.