Do you trust your smart home?
Much has been written on the subject of IoT (Internet of Things) security, or rather, the lack thereof.
According to research by TrendMicro, as of 2020, the average U.S. household has access to 10 connected (IoT) devices.
When we talk about the Internet of Things, we refer to devices in the following categories:
Smart devices, such as WiFi-connected thermostats, refrigerators, LED fixtures/light bulbs, and generally any Internet-connected device that collects, stores, or sends data to the Internet. These devices are collections of sensors and radios, and may consist of many discrete, individual components, such as 802.11 WiFi radios, temperature and humidity sensors, air pollution sensors, sound meters, and so on.
IoT gateways, which serve as intermediary devices between individual IoT endpoint devices and the Internet. Think of a gateway as a data broker, connecting to smaller, less complex wireless devices and aggregating their data in order to forward it to a cloud service. An IoT gateway may have multiple wireless radios, such as 802.11 (2.4/5GHz) WiFi and 433MHz radios which many household IoT devices use to communicate with one another.
Cloud/on-premise servers, which typically are bigger, more powerful, consume more energy and perform more tasks than single-function IoT devices.
There are broadly accepted 'best practices' with respect to securing Windows and Linux servers and client PCs, as both the Windows and Linux ecosystems are mature and established. That isn't to say Windows and Linux systems administration is less daunting because of these best practices--to the contrary, since most of the world runs on Windows and Linux, these two platforms are constantly targeted by malware.
But what about the Internet of Things? The Internet of Things consists of many thousands of different devices, produced by different manufacturers, with different security standards, different (often proprietary) software, and firmware which may contain actively exploited bugs or other functional issues which may never be fixed by the manufacturer.
Let's consider the following common security issues with IoT devices:
Poor out-of-box security/improperly configured access control: many IoT devices are shipped with the same default user name and password, across every single manufactured device, such as 'admin'/'admin', or 'user'/'password'. The manufacturer may assume that the end user will update these default login credentials, but let's face it, the average person isn't going to do that. Thus, any would-be hacker with a modicum of computer savvy can discover these poorly-secured devices on a user's wireless network and exploit them to gain access to other, sensitive segments of that network.
Root privileges out of the box: another common issue with IoT devices is the single level of account privilege, which grants essentially root-level access to the user who initially sets up the device. This single privilege level is extremely dangerous as it allows an attacker to arbitrarily execute (probably malicious) code and potentially take over other devices on the host network.
Large attack surface: many IoT devices expose multiple services to the Internet, such as an unencrypted web server on port 80, an encrypted web server on port 443, an SSH server on port 22, and so on. The more services a device exposes to the Internet, the more vectors an attacker can utilize to compromise the device or the host network.
Outdated software; potential for no further software/firmware updates: inexpensive IoT devices aren't known for their long software support cycle. Once the device is manufactured, the manufacturer is probably working on their next piece of hardware rather than dedicating necessary resources to updating the software and firmware of their existing devices. This lack of timely software updates contributes immensely to a device's susceptibility to attack; both white and black hat hackers continually probe these devices and the software and firmware that runs them for exploits. If an exploit isn't patched and spreads in the wild, devices can and will become compromised, potentially ending up in botnets or infecting networks with ransomware.
Zero encryption: IoT devices are notorious for storing sensitive information on the devices themselves in plaintext--that is, without encryption. IoT devices communicating with one another or with an IoT gateway may also send information in plaintext, which makes a Man-in-the-Middle (MitM) attack trivial to execute. Weak encryption is better than no encryption, but in the case of weak encryption, the encryption algorithm itself can potentially be cracked, leading to a brute-force attack on the device and its host network. Robust encryption is a requirement for a modern IoT device.
Application exploits: applications running on IoT devices can also become vectors for attack. IoT devices are typically just general purpose computers, using off-the-shelf ARM systems-on-chip (SoCs), or low-powered x86 processors made by Intel or AMD. As such, these devices can run a wide array of software, which is worsened by a lack of code-signing enforcement or a trusted execution environment on the device itself. In addition to the vulnerabilities which may exist in the device's firmware and operating system, more vulnerabilities likely exist within the applications that run on the device, creating a system with many possible points of entry for an attacker.
Poor privacy controls: IoT devices, such as security cameras, store and process sensitive video and audio recordings of users' homes and businesses. It's incumbent upon the device manufacturer to ensure the user understands which data is being stored locally, which data is sent to the Internet, how the user can control that data, what the manufacturer will do in the event of an external security breach, and how the user can opt in or out of various cloud services and information sharing the manufacturer may provide. Is this usually the case? No. Privacy controls on modern IoT devices are still a nightmare.
Intrusion detection and alert: if an unauthorized user accesses an IoT device, many devices will fail to alert the user of this intrusion. At this point, the attacker could be accessing sensitive information on the user's network and the user would be none the wiser. This ties into the access control issue we discussed above, and is a crucial component to IoT security.
So what do we do with this information? The first thing you, as the consumer, must do is avail yourself of online resources and vet the companies that make the devices you intend to buy. If you can't get answers to the points outlined above, you shouldn't buy that company's hardware. If the manufacturer can't demonstrate a history of regularly updating their devices' software and firmware, you shouldn't buy from that company. This may limit your choice in devices, but you'll also find reputable manufacturers who do take security seriously, like Cradlepoint and Fortinet (Geek Housecalls is not affiliated with any company mentioned in this article).
Additionally, ensuring your own home network is set up correctly is crucial to IoT security. When deploying IoT devices, best practice is to partition your IoT devices from the rest of your network. How do we accomplish this? By using VLANs (virtual local area networks). Some consumer-grade wireless routers support VLANs out of the box, but this tends to be a more business or enterprise-oriented feature. However, it is very much worth spending the extra money on a business-grade router that supports VLAN functionality. By giving your IoT devices, like your smart thermostat and Internet-connected refrigerator, their own virtual network within your home network, you functionally prevent those devices from being used to attack the rest of your network, should they become compromised by an attacker. For example, using VLANs, an attacker could compromise your WiFi-connected doorbell but he would fail to discover your MacBook or network storage server since they would be connected to a different VLAN. While this is still bad, it's much less bad than the alternative of an attacker using your IoT device as a 'jump box' to the rest of your home network, wreaking havoc in the process.
Staying on top of security updates is also critical, no matter which IoT devices you use. Manufacturers often provide an 'automatically install updates' option within the user interface of their IoT devices, and this should always be enabled; you may encounter a bug here and there by installing updates as soon as they become available, but this is vastly preferably to delaying updates and potentially being hit with an IoT exploit. Firmware updates are also important. A device's firmware controls how its hardware interacts with its operating system--for example, controlling how a temperature sensor or Bluetooth radio interacts with its built-in software. These low-level functions are critical to the device's proper functioning and staying up to date on firmware ensures any bugs that may affect hardware performance are addressed in a timely fashion.
Of course, managing the ever-growing number of things on our networks can become cumbersome, especially in business environments. That's why Geek Housecalls offers a full suite of IoT security tools and managed network services to ensure your own Internet of Things doesn't run amok. Get in touch today to find out how we can secure your devices, your networks, and give you some much-needed peace of mind.