By Daniel Norman, Senior Solutions Analyst at the ISF
A large portion of IoT-related breaches have stemmed from the attacker discovering the default password and compromising devices at scale.
The consumer Internet of Things (IoT) has exploded into the connected world, making domestic life richer, easier and more entertaining. Consumer IoT comprises a set of connected devices that have a discrete function, enabled or supplemented by a data-gathering capability through on-board sensors. In any home or office environment an individual may come into contact with ‘smart’ appliances or devices such as coffee machines, cameras, heating systems, locks, lights, health trackers, refrigerators and TV’s, to name a few.
Criticism of IoT security, or lack-thereof, has highlighted serious deficiencies in both design and implementation of IoT devices. Unfortunately, consumers are critically dependent on device manufacturers for the security of their devices. With a rushed and greater rate of adoption, a number of risks have been introduced, attracting close attention from threat actors aiming to steal valuable information and disrupt services. However, all hope is not lost — at a consumer level, there are still a few basic techniques that can be used to protect IoT devices from attacks.
While the manufacturer holds a significant proportion of responsibility for the ongoing security of IoT devices, immediately after buying a device, individuals should always change the default password to minimize risk. A large portion of IoT-related breaches have stemmed from the attacker discovering the default password and compromising devices at scale. If a consumer is also concerned about the data the device is gathering, storing and transmitting, always read the device manual and terms and conditions before connecting the device to the Internet.
In many cases an IoT device will preclude security controls, such as encryption, authentication, certificate management, validation and logging — typically for reasons of design practicality. This leaves the device open to attacks and remote hacking, meaning sensitive data can be exfiltrated. However, some IoT manufacturers are beginning to adopt certification or labelling regimes that define a certain security level — before purchasing an IoT device, individuals should assess the device itself and see whether or not the manufacturer is adhering to certain standards. As a minimum, the Wi-Fi box to which the IoT device is connected to should have robust security in the form of strong passwords.
Updating IoT devices is another real challenge for consumers, mainly because of the inability for manufacturers to communicate with the device owner. The lack of visual interfaces means that many devices are left unpatched and unsecure out-of-the-box. Vulnerability management can be difficult for consumers to stay on top of if they don’t know the vulnerability exists in the first place. Consumers should try and invest in IoT devices where the manufacturer updates or patches the device automatically. If this is impossible, then individuals should proactively try and seek out vulnerability forums online and regularly assess whether exploits and vulnerabilities have been exposed in the media.
Greater regulatory and media scrutiny will likely force IoT manufacturers to build security into new devices from the outset. However, with a significant number of IoT devices already in circulation, connected and on the market, users have a real responsibility to proactively protect their devices and the information they can access.