Securing smart devices
KEEPING YOUR IOT DEVICES SAFE FROM HACKERS.
HOW MANY SMART devices do you have in your house? We’re betting there’s at least one – your internet router – but there are probably a few others as well. Do you own a smart TV, one that connects to the internet and can watch Netflix or YouTube? A gaming console? A digital video recorder? A network media player or network attached storage device? A camera used for security or baby monitoring? A voice assistant? Any appliance with internet connectivity? Home automation switches and controllers?
Here’s the thing: these kinds of devices are awesome, and the additional functionality offered by connecting them to the network can be amazing. But they do present significant security risks, especially because they’re often designed to favour convenience over security. PCs and mobiles, following years of experience, tend to have additional layers of security built in, but many smart devices (also known as internet of things or IoT devices) have very little to protect them, and users often forget about them as a vulnerability.
Consequently, attacks on IoT devices are growing every year. The Mirai botnet – which is still a threat – very successfully attacked millions of smart devices, allowing hackers to take control of them and use them for denial of service attacks. Similarly, the VPNFilter malware last year took control of thousands of unsecured routers, allowing the hackers to monitor and modify internet traffic.
MAKE SURE YOUR WI-FI NETWORK IS SECURE
Obviously making your wireless network as secure as possible is important in any case, but it becomes especially so when you’re talking about smart devices. Often, your network security is the only thing between your devices and a hacker. That means: * Making sure you’re using WPA2 or WPA3 security. * Changing the password to a good password (a string of random numbers and letters). * Disabling WPS (Wi-Fi Protected Setup), which is a vulnerability in many routers. * Creating a guest network with a different password. This means that the password to your main wireless network will not be floating around on the computers and mobiles of other people.
PASSWORDS, PASSWORDS, PASSWORDS
This is the biggie. Unfortunately, too many people are inclined to leave the factory default passwords on their smart devices, making them extremely vulnerable to attack. And those that
do change the password often use an insecure one – like a dictionary word, number sequence or simple phrase – and then go and use the same password for every device.
The Mirai and VPNFilter outbreaks we mentioned earlier? All these attacks really did is try out the factory default password on millions of connected devices and in doing so found a rich vein of devices that never had their passwords changed.
So, it is absolutely critical that for every device that allows it, you need to check and change the password from the default immediately. Each device should have a good password – that is a string of random numbers and letters at least ten characters long – and each device’s password should be unique (you can guarantee: if a hacker cracks one device, they’re going to try them all with the same password).
This also applies to any cloud services associated with devices. Many devices have a linked cloud service; for example, IP cameras will link to a cloud service that will allow you to view their stream across the internet, while NAS devices might link to a remote access cloud service. First, you should disable any cloud services that you don’t use; second, each cloud service login should be unique. Remember that these cloud services offer a way past your firewall and into your home network for attackers, and if one is compromised then your entire network can be vulnerable.
Of course, no human can remember dozens of strings of random numbers and letters, so it’s pretty much essential to use a password manager. You can use a cloud service like LastPass ( www.lastpass.com) or Dashlane ( www.dashlane.com) or one or several dozen other options. If you’re not keen on a cloud service for your passwords, we can recommend KeePass ( keepass.info), which keeps all data local.
UPDATING THE FIRMWARE
The software that runs smart devices can be and often is updated to add new features and, more importantly, address security problems. The frequency of such updates varies by device – NAS devices, for example tend to update quite frequently, while IP cameras or routers might update once every six months or so.
Every few months you should run an audit on your smart devices to see if updates are available. In many cases they won’t update automatically and will require manual intervention from you to approve or initiate it. Log into the device’s settings and check for updates.
SETUP IMMEDIATELY AFTER CONNECTING
When they’re shipped, many smart devices default to an open mode, designed to allow easy setup. It’s only once the setup process is complete that security is applied. So don’t plug a device in and leave it for hours or days before you actually get around to running the setup app. Have the app ready to go and run it immediately.
CHANGING OR DISABLING VOICE COMMANDS
Over in this month’s Home Networking column, we talked about how you can use a voice assistant to automate your home. This is some really cool tech, but you do have to consider the security implications. If you allow your front or garage door’s smart lock to be controlled by a voice command, what’s to stop a criminal calling “Alexa, open the front door”? If anybody can take control of your devices with a voice command, then they might be able to easily access private information or trigger events that you don’t want them to. There are even special kinds of attacks called Dolphin Attacks, where commands are hidden in the white noise on YouTube and other streaming videos; you can’t hear them, but your voice assistant can.
The automation tools provided by Amazon, Apple and Google do allow you set custom voice commands as well as turn them off. Have a think about what you’re enabling access to with just voice commands. Can somebody access your calendar or GPS information? Could you be accidentally (or deliberately) recorded? Can they access a smart lock, or enable or disable a camera?
Even more so than other smart devices, voice assistants are a major attack vector, especially when they’re given access to a lot of information or control of other devices. So be careful what you connect with them!