The Internet of Things (IoT) is anything and everything in the world that is “connected” to the Internet. This can include anything from Microwaves, to Doorbells, to your TV, even your Hair Dryer could be an IoT device. By 2020 there will be over 30 billion IoT devices in use and many of these devices are susceptible to different vulnerabilities or hacks. Today I want to go over how to protect IoT devices and what you can do to help protect the ones you have in your home, but first I want to go through why IoT is so insecure and susceptible to attacks.
The Insecurity of Things
Just yesterday, a 14-year-old kid released a piece of malware known as Silex. This malware searched the internet for devices running Linux and Unix operating systems and targets them to see if they have default passwords or credentials. When Silex was able to get into the device using default credentials, it deletes everything on the storage, removes the firewall settings on the devices, and then completely renders the device unusable. The reason for doing this was he was tired of other hackers without skill doing it. You got to love it when people want to make a point through hacktivism!
IoT is insecure for several reasons. In my opinion, the biggest is that security was not part of the entire development process, but instead was added on after the manufacturer was close to bringing the product to market. Other reasons are: the devices have generic configurations and software that was not developed specifically for it, the manufacturer uses default usernames & passwords like admin & admin, have default configurations that are highly insecure, and the software that helps the device work (firmware) has vulnerabilities included in it that were never patched. If your thinking is along the lines of “I have a firewall at my house so that makes it ok or nothing can get in I don’t allow,” this is where a false sense of security can start.
In a perfect world, a firewall would be enough and since your firewall blocks all ports, you’d be safe, but with IoT this is not the case. Most internet providers, or technicians will configure a protocol called UPnP on your firewall/router by default. This is to make life easier and reduce their phone calls when you plug in a new device, so it just works without any additional changes, but unfortunately this one protocol is where the issues start.
I don’t want to go in depth on UPnP, but basically the protocol allows devices in your network to send a signal to your router/firewall, and tells it to open a port so that outside devices can get to your new doorbell, toaster, etc. This allows connection back to your new IoT device, but also opens a hole in your firewall that you’re unaware has been done.
Basically, your IoT device is hacking you from the inside. This device is inherently insecure, and on top of that it isn’t patched often enough by the vendor.
How to Protect IoT
The only true way to fully secure your home network from these devices is by not having them connected to your network at all. For most of us, we rely on the ease of use and simplicity of IoT on a regular basis so not connecting them is not an option. One other way to better protect yourself is by being an IT professional and securing your network, segmenting off the IoT devices, etc. As many of you aren’t IT professionals this typically isn’t easy either unless you have some high-end equipment, but don’t lose hope. I will be going over ways you can improve your security at your home with these devices enough to feel secure and safe.
IoT Default Configurations
The number one thing that you can do to protect your IoT devices is to change the default configurations. Many of these devices can change their passwords, and a lot of times you can do this easily just by looking up a how-to video for the device type. Others have this ability in the settings, and some are locked down and unavailable. This configuration and password change include your wireless devices, firewalls, and other computer equipment you may use. Change your passwords as often as possible, as many times the passwords that are given are the defaults and can be found online with a simple search.
Update Your Devices
Although not all IoT devices have updates available, many of them do have firmware updates, or the ability to have automatic patches installed. If you’re unsure if your device has an update, you can perform a simple search on the name of the device + firmware patch in your favorite search engine. If you find that there is a manual update that needs to be performed, the manufacturer typically has documentation available on their website on what steps need to be taken to perform this.
Don’t wait for these updates. Install the patch as soon as possible. A lot of times these updates are necessary as vulnerabilities being used can let someone who knows what they are doing take control of your device.
Finally, you could disable UPnP at your firewall or router and allow ports manually, but this will require a bit of advanced knowledge. Ports could be opened specifically to the vendors websites only, and not to everyone if you have an advanced firewall configuration. For many, this will be quite cumbersome and difficult to do. An IT company could handle this for you as well.
Be careful with this step, as quite often you will lose access from the outside to many devices you didn’t realize used UPnP to get you access.
Another advanced technique that can be performed is to disable SSH/Telnet access to these devices and not allow outside access to these services. Some devices will allow you to do this using some configuration changes, but others will also lock you out. Look up some videos on this and you should be able to find something on it.
Personally, when a device is extremely susceptible to vulnerabilities, and I can’t take any or multiple of the options above to prevent infiltration, I remove the device from my network. To me, it is not worth getting hacked over a device that cost a few dollars less than the high-end brands. There are so many knock-off low end brands in the IoT space right now, that we need to really be careful with what we purchase. Our security isn’t worth a few dollar savings, and lack of support or resolution of issues.
I personally use a firewall at my house that provides this additional layer of security, and client side antivirus but will have a future article on this subject. Stay tuned!
If you liked this article, comment below and subscribe to my newsletter for more like this and tips/tricks to protect your security.