How To Protect IoT – All About Internet of Things

How to Protect IoT - All About Internet Of Things

How to Protect IoT - All About Internet of ThingsThe Internet of Things (IoT) is anything and everything in the world that is “connected” to the Internet. This can include anything from Microwaves, to Doorbells, to your TV, even your Hair Dryer could be an IoT device. By 2020 there will be over 30 billion IoT devices in use and many of these devices are susceptible to different vulnerabilities or hacks. Today I want to go over how to protect IoT devices and what you can do to help protect the ones you have in your home, but first I want to go through why IoT is so insecure and susceptible to attacks.

The Insecurity of Things

Just yesterday, a 14-year-old kid released a piece of malware known as Silex. This malware searched the internet for devices running Linux and Unix operating systems and targets them to see if they have default passwords or credentials. When Silex was able to get into the device using default credentials, it deletes everything on the storage, removes the firewall settings on the devices, and then completely renders the device unusable. The reason for doing this was he was tired of other hackers without skill doing it. You got to love it when people want to make a point through hacktivism!

IoT is insecure for several reasons. In my opinion, the biggest is that security was not part of the entire development process, but instead was added on after the manufacturer was close to bringing the product to market. Other reasons are: the devices have generic configurations and software that was not developed specifically for it, the manufacturer uses default usernames & passwords like admin & admin, have default configurations that are highly insecure, and the software that helps the device work (firmware) has vulnerabilities included in it that were never patched. If your thinking is along the lines of “I have a firewall at my house so that makes it ok or nothing can get in I don’t allow,” this is where a false sense of security can start.

In a perfect world, a firewall would be enough and since your firewall blocks all ports, you’d be safe, but with IoT this is not the case. Most internet providers, or technicians will configure a protocol called UPnP on your firewall/router by default. This is to make life easier and reduce their phone calls when you plug in a new device, so it just works without any additional changes, but unfortunately this one protocol is where the issues start.

I don’t want to go in depth on UPnP, but basically the protocol allows devices in your network to send a signal to your router/firewall, and tells it to open a port so that outside devices can get to your new doorbell, toaster, etc. This allows connection back to your new IoT device, but also opens a hole in your firewall that you’re unaware has been done.

Basically, your IoT device is hacking you from the inside. This device is inherently insecure, and on top of that it isn’t patched often enough by the vendor.

How to Protect IoT

IoT CamerasThe only true way to fully secure your home network from these devices is by not having them connected to your network at all. For most of us, we rely on the ease of use and simplicity of IoT on a regular basis so not connecting them is not an option. One other way to better protect yourself is by being an IT professional and securing your network, segmenting off the IoT devices, etc. As many of you aren’t IT professionals this typically isn’t easy either unless you have some high-end equipment, but don’t lose hope. I will be going over ways you can improve your security at your home with these devices enough to feel secure and safe.

IoT Default Configurations

The number one thing that you can do to protect your IoT devices is to change the default configurations. Many of these devices can change their passwords, and a lot of times you can do this easily just by looking up a how-to video for the device type. Others have this ability in the settings, and some are locked down and unavailable. This configuration and password change include your wireless devices, firewalls, and other computer equipment you may use. Change your passwords as often as possible, as many times the passwords that are given are the defaults and can be found online with a simple search.

Update Your Devices

Although not all IoT devices have updates available, many of them do have firmware updates, or the ability to have automatic patches installed. If you’re unsure if your device has an update, you can perform a simple search on the name of the device + firmware patch in your favorite search engine. If you find that there is a manual update that needs to be performed, the manufacturer typically has documentation available on their website on what steps need to be taken to perform this.

Don’t wait for these updates. Install the patch as soon as possible. A lot of times these updates are necessary as vulnerabilities being used can let someone who knows what they are doing take control of your device.

Disable UPnP

Finally, you could disable UPnP at your firewall or router and allow ports manually, but this will require a bit of advanced knowledge. Ports could be opened specifically to the vendors websites only, and not to everyone if you have an advanced firewall configuration. For many, this will be quite cumbersome and difficult to do. An IT company could handle this for you as well.

Be careful with this step, as quite often you will lose access from the outside to many devices you didn’t realize used UPnP to get you access.

Disable SSH/Telnet

Another advanced technique that can be performed is to disable SSH/Telnet access to these devices and not allow outside access to these services. Some devices will allow you to do this using some configuration changes, but others will also lock you out. Look up some videos on this and you should be able to find something on it.

Final option

Personally, when a device is extremely susceptible to vulnerabilities, and I can’t take any or multiple of the options above to prevent infiltration, I remove the device from my network. To me, it is not worth getting hacked over a device that cost a few dollars less than the high-end brands. There are so many knock-off low end brands in the IoT space right now, that we need to really be careful with what we purchase. Our security isn’t worth a few dollar savings, and lack of support or resolution of issues.

I personally use a firewall at my house that provides this additional layer of security, and client side antivirus but will have a future article on this subject. Stay tuned!

If you liked this article, comment below and subscribe to my newsletter for more like this and tips/tricks to protect your security.

Please follow and like us:
error

About Don

Don has been in the IT industry for just over 20 years and has been working with Cyber Security for over 10 years. He holds many certifications including CISSP, CEH, and CHFI.

View all posts by Don →

8 Comments on “How To Protect IoT – All About Internet of Things”

  1. Thank you for this post.   Until recently, I lived in a rural area with poor internet service so I did not have to worry too much about the “insecurity of things.”   Yet, I am know in a position that I am planning on moving towards a smart home and video security system that allows me to see what is going on via my cell phone.     

    Hopefully, as IoT becomes even more prevalent, it will be easier to implement security measures.   Yet, at the same time, I will miss the convenience of just plugging something in and having it work.   

    Thanks for sharing the story about the 14 year old hacker also.  For some reason, it is interesting reading about what motivates these kids and these people to do their hacking.   

  2. This is an excellent post that is so pertinent today with the advent of the many devices that are helping us run our homes from the kitchen to the laundry, from the heat and cooling devices to the security systems we all have these days. As we have seen, there are vulnerabilities.

    If the big companies are having breaches with their security and experiencing hacking into their systems, we can expect that the same can happen to any household that is tapping into the IOT (internet of things), and most households have at least a few devices connected.

    Security is a major issue for us all these days. You have provided some very solid tips and advice on steps we all can take to ensure that we have protection. Some I was familiar with but there were also quite a few steps that are new to me. I thank you for the education and will be back, as I and our company do need to protect ourselves and you know what you are talking about!

    Are there security specialists that focus on this kind of service for home and small business owners? I would almost rather hire an expert to make sure that I have taken all the necessary steps to protect our home and business. If there are such services, what should I expect to pay? 

      

    1. Thanks Dave, i’m glad you found my post helpful! Yes there are definitely security specialists, you can look for consultants in your area, doing a search should come up with some local people. Most consultants will charge about $75-$125 an hour. Whatever you do, stay away from Craig’s List!

      Don

  3. I was an electronics engineer and I do understand that IoT is an exciting phenomenon. But as you said, the security on the devices is greatly lacking, compared to its flexibility. I wouldn’t want someone eavesdropping on my home from security flaws in the device. I’ll do just like you suggested, remove devices that are particularly risky.

    Thanks for spreading the words. We need to be realistic.

    1. Thanks for giving your thoughts on the topic Kenny! IoT is definitely going to just get worse over the next few years.
      Don

  4. Hi Don,
    Thanks for informing us about how the Internet of Things is actually less secure than most people could realize. Peter Diamandis helped introduce me to the concept a while back and it’s rather fascinating.

    I don’t know much about the technical side of IoT devices and hacking, but just this one post is already helping me to learn more.

    I love that you gave us specific tips about the firmware updates and UPnP! I may come back to your post in the future when I potentially acquire more IoT devices.

    Have fun!
    Ben

    1. Thanks Ben,

      Glad it was helpful, and hope you can find some additional useful information on my posts 🙂 Let me know if you need anything else, or if you ever have any questions. I’ll have to check out Peter Diamandis, never heard of him. Thanks for the tip!

      Don

Leave a Reply

Your email address will not be published. Required fields are marked *