Secure Your Network 4: Remediate

[This is the 4th and final part of a series – part 1, part 2, part 3]

You’ve made it to the fourth and final step in our quest to secure your home network! So far, we’ve done the following:

1. Scan. We’ve scoped our efforts by enumerating all the devices on our network.
2. Simplify. Before spending any time and effort fixing stuff, we stopped to eliminate unneeded stuff.
3. Assess. Research the remaining devices: support status, known vulnerabilities and available updates.

The final step is to actually Remediate any issues we found. That’s the subject of this final installment.

Update and Secure Your Router

The most important device on your network – by far – is your home router. Your router is the gateway to the internet, the single point of entry and egress for all your network traffic. (Actually, this is going to change as embedded cellular modems and mobile data services become cheaper, but that’s a discussion for another day.) I would do the following things before doing anything else:

• Change default admin password. If your home router has a default administrator password, change it to something strong. Ideally, generate a password and save it in your password manager. This password only affects accessing your router’s administration web page, not the devices connected to the router.
• Change WiFi name. If you live in a densely populated space (like an apartment complex) and/or if you have a reason to mistrust your neighbors or their visitors (perhaps there are a lot of rental properties nearby with frequently changing inhabitants), you might want to change your WiFi network’s name or SSID (the one you see when looking for available networks) to something that doesn’t identify you personally.
  • NOTE! If you change your network name, you’re going to cause all your existing WiFi devices to lose their connection and you will need to reconfigure them with the new WiFi network name.
• Enable WiFi password. Make sure that a password is required to connect to your WiFi network. This is probably already set up, but make sure that you’re using the best encryption method available – which currently is WPA3. If you have a choice between WPA3 Personal or Enterprise, Personal is probably what you want. WPA2 is okay. But regular WPA (or “WPA1”) and WEP are no longer secure and should not be used. If your router doesn’t support at least WPA2, you should look to upgrade your router.
  • NOTE! If you change your WiFi password, you’re going to cause all your existing WiFi devices to lose their connection and you will need to reconfigure them with the new password.
• Update router firmware. Firmware is just software for appliances, basically – embedded software. You need to know how to find the current version of your router’s firmware. Do some web searches if you need help, using your router’s make and model (which can usually be found on a back or underside of your router). You can also try to find and download your router’s PDF manual. Some routers have funky “wizards” and other setup applications, but I personally avoid them. You need to know how to use the admin interface. If your router has an option for automatic updating, I would enable it; if not, set a monthly reminder to check for updates manually.
• Enable firewall. This is probably already enabled by default, but make sure. While most computers have built-in firewalls, they’re not always enabled by default. Most IoT devices have no firewall at all. You really need your router’s firewall to be turned on, which will protect all the devices on your network.
• Enable Parental Controls. (reader suggested this – look it up)

If your router is provided to you by your ISP, I would take this opportunity to buy your own so that you have full control over the above settings. This will also keep your ISP from potentially snooping on your internet network traffic.

Review Key Security & Privacy Settings

Now take out the list of all your devices from our Scan phase. During the Assess phase, you figured out how to administer the devices – where to find the settings and how to update them. Now it’s time to actually review these settings and make changes. You’ll be looking for sections labeled “Privacy” and/or “Security”. Here are some specific things to check for:

1. If your device has the ability to automatically install software updates, I would enable this.
2. If the device’s admin page or app requires a password, make sure that you’ve set a strong password – particularly if you’re using a default password that came with the device.
3. If there are any settings for “more relevant ads” or “improved customer experience”, that usually translates to “track me”. I would disable these options. These options are almost always defaulted to sharing maximum information.
4. If your device has any “integrations” with other services or devices, you should review them and make sure that you want to allow them to share information.
5. Review any permissions you’ve given to the device, such as reporting location, accessing a camera or microphone, and so on. Make sure that they need this access to do what you want them to do for you.
6. Consider the consequences of this device failing. Some IoT devices will cease to function without cloud support. If they’re dependent on a company that goes out of business or if their servers go offline for some reason, the dependent device may be useless. What impact would that have on you? If the device itself fails or is stolen or damaged, what data or functionality would you lose? Have a backup plan in place for these scenarios.

Every device is different and it’s hard to predict exactly what settings might be available. The above list is a good start, but you should take some time to dig around the settings to see what else you can find. If you’re not sure what a setting does, trying doing a web search with the manufacturer or device name and the exact text of the setting. You can also check the manual or support website for the device.

If you have any IoT devices that only require a connection to the internet or between peer devices, I would move them from your main WiFi network to your guest WiFi network. This will isolate these less-secure devices from your more important devices like your smartphones, tablets and computers. Check out this article for help. Another interesting new option offered by some modern routers is to put devices under “parental control“, which could allow you to restrict what sites they can access. You’d have to figure out what sites to block or find a published list of ‘tracking’ sites maybe.

Update Software

For all of the devices whose software is capable of being updated, now is the time to update them. We’ve done the investigatory work already, so you should now go ahead and perform the updates. Again, if the device supports automatic software updates, I would go ahead and enable this. If not, then you’re going to want to note down which devices are going to require manual updates and the process for doing so for future reference.

I would set yourself some sort of reminder for updating your devices’ software. I would honestly check this at least once a month. When software vulnerabilities are discovered for IoT devices, bad guys will begin searching for exploitable devices immediately. That’s why automatic updates are so important. Now, because of the firewall and the NAT function of your router, your devices should not be exposed to direct probing from the internet. This is a critical security function. However, if one device in your network is compromised (including a visiting device using your WiFi), then those devices could potentially be exposed. And sometimes even devices behind a firewall can be attacked if the servers they’re connecting to are hacked.

Review and Re-Scan

Tada! You’re done! If you managed to follow through on all of this, give yourself a huge pat on the back. This stuff is not easy – and it really should be. We need our IoT devices to meet minimum security standards that would make a lot of this work unnecessary: no default passwords, automatic software updates, signed software downloads, and encrypted connections. It’s not as difficult as it sounds, but there are just no financial or legal incentives for manufacturers to incorporate these features today, putting the onus on us.

After you’ve celebrated your achievement, take a few moments to review what you did and what you learned. Take some good notes so that when it comes time to do this again, it will go a lot faster. I would actually just plan to walk through these steps as you add new IoT devices to your network. It’s a lot easier to do this stuff incrementally than all at once.