This week marks the opening week of the annual National Cyber Security Awareness Month (NCSAM). While focusing on cybersecurity is a full-time need, this month enables practitioners to educate the general public around the importance of information security. Throughout October, Digital Shadows will be publishing a series of blogs (listed below), covering weekly themes that highlight how internet-connected devices have impacted our lives and how we can empower users to leverage their role in security by taking steps to reduce their risks.
“Do Your Part. #BeCyberSmart.”
Week 1: If You Connect It, Protect It
Week 2: Securing Devices at Home and Work
Week 3: Securing Internet-Connected Devices in Healthcare
Week 4: The Future of Connected Devices
In Week 1, NCSAM focuses on: “If you connect it, protect it.” While drafting this blog, and as our society has become more digitized, we have found that the line between our online and offline lives has become near indistinguishable. The network of connections we build creates both opportunities and challenges for individuals and organizations across the globe.
Discovering the Internet of Things
The Internet of Things (IoT) consists of billions of physical devices connected to the Internet that gather and share data. From smartphones to toothbrushes, from wearables to industrial sensors, these devices are all around us. Their number will only continue to grow exponentially in the coming years, partially thanks to the gradual deployment of 5G connectivity.
There is no doubt that many of these objects have made our lives easier. Smart assistants and household appliances have started to populate our homes; we use them to book doctor’s appointments, remind us of our meetings, or even alert us when we’re running out of coffee. Simultaneously, the Internet of Things has dramatically improved business development and decision-making, thanks to its ability to provide a significant amount of detailed data that describes the current environment.
That said, the broad deployment of IoT devices in our households, industries, and cities camouflages several security issues that need to be considered. Most cybersecurity vulnerabilities linked to the IoT can be remediated by non-technical users with necessary cyber hygiene precautions. Before delving into those measures, let’s briefly discuss the main risks related to IoT products.
The IoT Attack Surface is Far-Reaching.
While IoT devices have the potential of easing some of our daily tasks, they are also linked with an unprecedented increase in the quantity and quality of the data we share. Medical records, sensitive personal information, and workplace plans are increasingly at risk when collected and shared through unsecured devices connected to the Internet.
One of the main problems with IoT resides behind the likelihood that many manufacturers didn’t develop these devices with security as a priority. Often, product teams are pressured to quickly gain a decent share of this rapidly expanding market and inadvertently sacrifice security.
This issue has made many IoT devices a low-hanging fruit for criminals interested in stealing sensitive data and access exposed networks. Additionally, criminals can exploit vulnerable products, by leveraging their computing power, and orchestrate massive IoT botnet campaigns to disrupt traffic on targeted services to spread malware.
Before we discuss mitigation techniques, let’s explore first common IoT vulnerabilities:
- Default passwords. Manufacturers commonly sell IoT devices with default passwords as their primary, built-in security layer. This authentication tool is considered weak and doesn’t ensure a necessary level of security. Default passwords are often publicly available online and constitute an easy entry point for malicious actors.
- Unpatched and vulnerable. The pace at which manufacturers deploy IoT devices into the wild makes security updates and patches a challenge to manage. While top-tier products are updated continuously, and patches are rolled out, lower-quality ones risk reaching “end-of-life” (a state when older products are not updated anymore by their manufacturer) before their vulnerabilities are securely fixed. Consequently, the IoT landscape is populated with devices rigged with long-known vulnerabilities that risk giving attackers easy access to your network.
- Rogue devices. As IoT products became widespread in our lives, a new trend of connecting them to sensitive networks emerged. Linking vulnerable smart printers and personal fitness trackers to our home or workplace Wi-Fi puts the entire system’s security at risk; it provides criminals with an open door to gain a foothold in the network and move laterally to collect sensitive, proprietary, or personal data. Plus, if these devices are connected without informing the relevant technicians, the risk becomes even more severe.
If you connect it, protect it
Necessary security precautions can go a long way in reducing the risks posed by (and from) your IoT products. Having briefly introduced the main risks linked with the unsecured use of IoT devices, we will now discuss some easy-to-follow mitigation techniques applied by technical and non-technical users:
- Use complex passwords. Ground-breaking, I know, but as mentioned before, IoT items are often delivered to your door with a default password as the primary security layer. The first thing to do would be to follow password best practices and change the password to a unique and complex string. If you are like me and you have an awful memory, consider using a password manager to store them in a secure place.
- Update, update, update. IoT devices need to be updated in the same way that smartphones and laptops do. While our closest devices inform us when they need to be updated, IoT products often require users to take a step further and manually patch them. If you can enable the device to update itself automatically, I recommend that you do so. If the manufacturer has halted the security updates for a product that has reached end-of-life, the best advice would be to replace it with a new one (if possible).
- Don’t forget the apps. One of the IoT’s characterizing features is the massive amount of personal data gathered while using such devices. Smart home appliances, such as light bulbs and speakers, often require users to install an app on their smartphone or tablet. Therefore, it is essential to check whether these apps are legitimate and what security permissions they request. Downloading apps from trusted vendors and limiting the smartphone features they have access to could go a long way in mitigating the risks associated with IoT mobile apps.
- Monitor (and segment) your network. Criminals may leverage unprotected IoT devices to access your network and extract private, sensitive, and confidential information. The simplest way to avoid this issue would be to keep your devices offline. If that’s not an option, consider segmenting your network and creating a parallel access point for your smart appliances.
The cybersecurity issues related to IoT are more pressing than ever. They should be treated with extreme caution as these devices are involved in almost every aspect of our daily lives. The mitigation techniques proposed in this blog are far from constituting a silver bullet against these products’ vulnerabilities, but offer a useful starting point for users interested in monitoring and limiting their attack surface.
For more tips on securing your devices at home and work, keep an eye out for our next piece in our four-part National Cybersecurity Awareness Month blog series!