Before a global IoT disaster strikes, we need to review consumer culture, government regulation, habits and manufacturer mindsets urgently.
Ironically enough, the good news about the atrocious security of Internet of Things (IoT) devices might be that the bad news is getting a higher profile.
Stories about security cameras getting hacked, with attackers taunting users or trying to get children to say or do twisted things, are not just being covered in security blogs. They are headlines in mainstream newspapers and highlights on evening news shows.
Awareness is not expertise
All of this helps to promote awareness. Word is spreading beyond security conferences to the general public that the Internet of Things (IoT), while providing endless entertainment, magical convenience, lifesaving medical support, and more, is also the biggest cyberattack surface in the world.
It is fast becoming what many now call the Internet of Everything (IoE), and if consumers become more aware that the dazzling features of those devices come with risks, that is a good thing.
That does not mean the problem is solved, however—not even close. Awareness does not mean expertise. Users might know that compromised smart home devices could allow attackers to unlock their doors or spy on them and their children, but that does not mean they know how to harden the security of those devices or their home networks.
Indeed, it is a stretch to expect they would. When it comes to cars, all drivers know how to operate the brakes. But that does not mean they have the expertise to analyse whether the brakes are safe when they drive their new car off the lot. They assume (as they should, given automotive safety standards) that the brakes will work.
We are not there with IoT devices.
Recommendations for smart device users
A recent advisory from an Oregon FBI office on “building a digital defense in your Internet of Things” offers an example. It noted that in addition to smart TVs, homeowners should be aware of “everything else in your home that connects to the world wide web … digital assistants, smart watches, fitness trackers, home security devices, thermostats, refrigerators, and even light bulbs.”
Among the agency’s recommendations:
- Change the default password. A simple internet search should tell you how. If you cannot find the information, consider buying another product.
- Make the passwords as long as possible and unique for each IoT device.
- Restrict any supporting apps. Many connected devices are supported by mobile apps on your phone. These apps could be running in the background and using default permissions that you never realized you approved. So, find out what information those apps are collecting and say “no” to privilege requests that do not make sense.
- Segregate your IoT network. Your refrigerator and laptop should not be on the same network. Keep your most private, sensitive data on a separate system from your other IoT devices.
- Make sure all your devices are updated regularly. If automatic updates are available for firmware, software, hardware, and operating systems, turn them on.