Back before we had nearly universal broadband Internet in our homes, the only safety electrically-powered device that we had to worry about was to replace the batteries in our smoke detectors every six months. With the Internet of Things, we now have a lot more capabilities, but a lot more worries.
Some friends of mine have 23 connected devices to their home network: a Nest thermostat, security cameras, Alexa, smart TVs, network printers, gaming systems, smart watches and their computers. I am sure I have forgotten a few others. All of them can be exploited and used for evil purposes. Think of them as that back door to your home that is wide open.
This exploit for smart TVs was a news item last year. It uses a special digital broadcast signal to gain access to your TV’s firmware. I have been trying to update my firmware for weeks with no success, but I guess hackers are more adept. Still, this is a major concern for IoT devices both in the home and in the workplace. Many device makers don’t have any firmware update mechanism, and those that do don’t make it easy or automatic for users to do it. And devices are usually not monitored on corporate endpoint protection tools, which are usually designed for Windows, Mac and Linux machines.
Part of the problem is that the number of IoT devices continues to climb, with estimates in the tens of billions in the coming years. These devices are seemingly everywhere. And they are an attractive target for hackers. Hajime, Mirai, Reaper, Satori and Amnesia are all IoT-based malware that has been seen in the past couple of years. The hackers understand that once you can discover the IP address of a device, you can probably gain entry to it and use it for evil purposes, such as launching attacks on a corporate target or to leverage access to a corporate network to steal information and funds.
So what can you do? One friend of mine is so concerned about his home network that he runs his own firewall and has two different network-attached storage devices that make copies of his data. This enables him to get rid of having any data on his computers and removes all at-risk programs on them to further secure them. That is probably more than most of us want to do, but still it shows the level of effort that you need to keep things safe.
If you aren’t willing to put this much effort into your home network, here are a few easier steps to take. First, make sure you change all of your devices’ default passwords when you first install them – if you can. Some products have a hard-coded password: if security is a concern, toss them now. Second, if you don’t have a firewall/router on your home network (or if you are using the one supplied by your broadband provider), go out and get one. They now cost less than $100 and are worth it if you can take the time to set them up properly to limit access to your networked devices. Next, make sure your Wifi network is locked down appropriately with the latest protocols and a complex enough password. If you have teenagers, setup a guest network that limits their friends’ access.
Granted, this is still a lot more work than most of us have time or the patience for. And many of us still don’t even replace our smoke detector batteries until they start beeping at us. But many of you will hopefully be motivated to take at least some of these steps.
I have often wondered if any of the routers on the market today would make a good firewall. Google Wifi claims great and automatically updated security (see https://support.google.com/wifi/answer/6309220). I like the idea, but, I am not sure that I want Google to have the ability to sniff every packet that I send.
Do you have any insights
I think you aren’t alone about giving up more data to the Googleplex. I have been using the IQrouter and testing the Phicomm K3 as well. Both make good firewalls and are easily configurable.
We are extremely concerned about the hackability of IoT devices, and for that reason we have very few in our home. We’ve only got the smart TV, and a camera that is part of the ADT Home Security System – it’s an interior camera that photographs anyone coming into the house. We set up a separate guest network just for the TV and the camera, so if anyone hacks into the IoT devices they cannot get to our computers and files. Obviously we have good passwords etcetera on the router. We were dismayed to learn that firmware on our ADT security camera cannot be updated, which is ridiculous.. I’m actually considering getting rid of the camera for that reason. Its only benefit is if someone breaks into the house, I will get a picture of them – but not necessarily one clear enough of their face that the police could use to identify the burglar.
The Arlo cameras from netgear seem better designed and have more security features, if you want to replace your cameras. Yes, it is sad how little focus the vendors have on infosec, even with all the news out there about Mirai etc. Thanks for your note.
David,
I have been a lurker for years on your blog. This article is pretty much worthless. Why don’t you detail some of the basic steps on how to configure said protocols you advertise? Or at least explain what steps you have eluded to that need to be identified? Or is that to much work?
Roger Summers