By Larry Trowell, principal consultant at Synopsys
This Halloween season, in celebration of National Cyber Security Awareness Month, I’d like to introduce you to a few unwelcome trick-or-treaters you may meet. But don’t look out the window for them; they may already be inside your home, hiding in the Internet of Things (IoT).
The IoT is the entire network of devices that have the technology and protocols to collect and share data: smartphones, cars, thermostats, smart appliances, cameras, home assistants, fitness devices, and anything else with a network connection.
Of course, with network connectivity comes potential insecurity. Let’s address some of the more common IoT security concerns (or security monsters, as I like to festively think of them) that you should deal with now—before it’s too late.
Fight zombie botnets with consistent maintenance
Whenever the relationship between IoT and security comes up, the term “botnet” is never far behind. A botnet is a collection of IoT devices under a cyber criminal’s control. With names like Windigo, Kraken, and Reaper, it’s easy to see that the creators of these botnets have some appreciation for the similarity between their craft and the monster stereotypes of old.
Much like the classic horror movie zombies, these scary beasts are the living dead—that is, outdated IoT devices that you’ve set up in your home and then forgotten about. Without regular firmware updates, your devices could be filled to the brim with known software vulnerabilities, which botnet creators use to gain control of them.
In order to rid yourself of these unwanted pests, drop the salt and spend some time updating your network-connected devices. That includes phone updates you’ve been postponing for a while. If your devices haven’t prompted you to update recently, check with online resources like https://cve.mitre.org/ to determine if there are any known risks in running your devices.
Defeat any poltergeists in your home with passwords
The next monster I’d like to tell you about is reminiscent of the 1982 classic film Poltergeist, where a series of physical disturbances at home turn the lives of one family upside down. In our case, we’re focusing on issues of authentication, where your devices and accounts let someone else in after thinking it’s you. Let’s look at how to avoid this misleading phantom.
You’re probably familiar with connected devices that use default passwords during their initial setup, right? This is an authentication issue—if you don’t change the password, anyone can assume your identity by using the default.
In some cases, there are more severe security concerns. In fact, several years ago, after a consumer set up a security camera in their home, only to find that it didn’t meet their needs, they returned it to the store, at which point it was resold to someone else. Sounds like a perfectly standard procedure, right? It turns out that the back-end system that controlled the camera could not remove the original owner from the account. For all purposes, the original owner had full access to the new user’s video feed. The new owner may have felt as if they had a cursed camera watching over their home—which isn’t so far from the truth.
Authorization is a similar concern when it comes to IoT devices. (Authentication refers to confirming the identity of a valid user; authorization refers to granting a user some level of access.) Let’s take CloudPets as an example. CloudPets are stuffed animal toys for children that also conveniently use both cloud and Bluetooth technologies. The issue? If they don’t have a current Bluetooth connection, they allow any Bluetooth device to connect as an authorized user.
If your child has a smart toy, you should actively work to protect it from cyber misuse. The most important step is to change all default passwords. No matter whether a device or account asks for it, use a minimum of nine characters in every password. It’s also important to use uppercase and lowercase letters, numbers, and special characters.
Next, you’ll also want to learn where your data goes and who has access to it. If your devices use Bluetooth or other wireless protocols, see how they connect and whether they have an access code or physical contact with another device to connect with it.
Finally, if you use smart assistant devices such as Amazon Echo or Google Home, place a voice code on your device. You’ll be happy you did the next time your device thinks that it hears the phrases “Alexa” and “buy 20 CloudPets.” Just trust me on that one.
Banish network ghosts by leveraging guest networks
The final fiendish monster with a tale to share with you all today involves something of a ghost. One thing that to remember is that most of your smart devices get their intelligence by being connected to a network—your network. You know, the one with all your other devices on it, like your computer, hard drive, and other devices with sensitive data. If an attacker gains access to your devices, by whatever means they have up their sleeve, they also gain access to your network. It’s pretty much a package deal.
The solution isn’t to call the Ghostbusters (I wish it were the case, however) but to use a feature of many new routers that you’ve probably overlooked. That feature is to create a guest network, one that not just your friends can use but your devices can too. This way, if your devices are compromised, hackers have access only to the smaller network and will be isolated from the data you’ve worked so hard to protect.
Heed my words and follow these simple pieces of advice to keep your home free of unwanted guests during the spookiest time of year.