Locking Down the Internet of Things (IoT)

With all the news of the Reaper malware that’s infecting Russia and Ukraine, and reminders of the disaster of last year’s Miria botnet, it’s a good time to review basic home network hygiene and best practices for securing the Internet of Things (IoT).

What is the Internet of Things (IoT)?

The Internet of Things, or IoT, is a hot marketing buzzword these days, but what does it really mean? Internet of Things refers to the recent phenomenon of connecting regular, everyday “dumb” devices to the Internet in order to enable cool new features. One of the most popular examples is the Nest Thermostat. Nest (who was bought by Google for $3.2B) created a ‘smart’ replacement for the dreary household HVAC thermostat. Not only was it beautiful and easy to use, it had built-in WiFi and could communicate with Nest’s Internet service. With the help of a smartphone app, Nest owners could monitor and even control the temperature of their homes from anywhere on the planet. Over the last few years, billions of devices have joined the Internet of Things: TVs, garage door openers, baby monitors, watches, appliances, and even light bulbs.

An Army of Robots

What might not be immediately obvious is that every one of these products is also a computer. While computer chips have found their way into all sorts of modern products, putting those computers on a network takes things to an entirely new level. Computers are hackable because they run software, and all software has bugs. But if that computer is not on a network, you have to be have physical access to hack it. Not so with IoT.  Cybersecurity professionals love to say that the “S” in “IoT” stands for security – meaning it has none – and it’s not far from the truth. Cost is a huge issue for most of these devices, and adding proper security adds a lot of cost – both in development and testing, but also hardware cost (faster CPUs, more memory, etc).

So what do you get with a massive influx of insecure computers on the Internet? A hacker’s dream come true. The security flaws in these products are widely known by the hacking community. Also, most of these devices have a special web page where you can configure them. And while most are protected with a user ID and password, these credentials are almost always set to default values, which are also well known. It’s trivial to write malware to exploit these weaknesses and gain control of these IoT devices. And when you have an army of devices you can control from anywhere on the Internet, you have what we call a botnet (shorthand for a ‘network of robots’). Hackers use these innocent-looking devices to do their bidding. One of the more common uses is to direct an unsurmountable wave of requests at some target web site to bring it to its knees – called a Distributed Denial of Service (DDoS) attack. That’s how the Mirai botnet took down a large portion of the Internet last Fall, and the Reaper botnet is poised to wreak similar havoc in the near future.

How Not to be Bot

So what are we to do? How do we keep our wonderful Internet of Things devices from being subverted and conscripted into a botnet? The primary thing we need to all do as consumers is to demand security for all our Internet-connected products. Do your homework, read the labels, compare products based on security and privacy features. Support regulatory or even voluntary initiatives to improve security and provide more transparency. We could really use some sort of Underwriters Laboratory for cyber security and privacy, providing independent analysis and a standardized product ratings. But until then, we need to do what we can on our own.

• Change default passwords. If your device has any sort of administrative interface (probably a web page), change the default login password. Write it down or use a password manager.
• Update the firmware. Not all IoT devices can be updated, which is a massive problem. But if your device has a way to update it’s firmware (which is what we call software that runs on these appliance-type devices), you must to keep it up to date. The admin web page should have a help/info link that will tell you how to check for updates and install them.
• Register your devices. You should go ahead and register these devices online and get on the email lists. This is probably the most reliable way to get notified of bugs that need to be fixed. Yes, this will expose you to marketing crap. You can try to limit the spam by updating your ‘marketing preferences’ to only include security updates.
• Dumb down your devices. If you don’t use the Internet features on your device, then don’t put it on the network at all. For example, most TVs today have an Internet connection because they come with built-in Netflix apps and such. But if you don’t use those features (for example, you use a FireTV, Apple TV or Roku), then you have no reason to plug into into your network or enable WiFi.
• Unplug unused devices. If you have a device you no longer use (or trust), just get rid of it. Or if you use it only rarely, unplug it until you need it. For example, I have a web cam I use to watch my house when we travel. I only plug it in when we actually travel.
• Quarantine your devices. Compromised devices on your network are basically beachheads for hackers within your home network. You can mitigate these risks by putting your IoT devices on your guest network. Don’t have a guest network? Most modern WiFi routers have this capability and it’s easy to set up. It’s a separate network for untrusted devices (including your guest’s devices, hence the name).
• Restart your devices. Some of the malware that infects IoT devices can be cleansed just by powering the device off and back on. Unfortunately, unless you can update the software, it will still be vulnerable to re-attack.

As always, you can find these and over 100 more tips in my book. I also covered the topic of Internet of Things in a wonderful interview with John Graham-Cumming (CTO of Cloudflare) – check it out!