Door locks, coffee machines, security cameras, dryers, alarm clocks, and thermostats. At first glance it is difficult to discern what commonality these devices share from an end customer’s point of view. In previous years, some of these devices would not have shared a lot in common at all. However, now, almost all industries are selling devices connected to the Internet that are automating processes within the home and workplace. With the flood of devices coming onto the market, it is important to understand how devices can have an impact on the security posture of individuals purchasing these products.
Due to the large number of manufacturers rushing to connect their devices to the Internet, security features on IoT devices are highly variable. While there are steps being taken to standardise IoT frameworks, the high variability of security across devices at present makes it difficult for consumers to determine their security posture. As a result, organisations and people alike can be caught out owning, and potentially relying on, a device that is vulnerable to manipulation.
For example, a wi-fi connected printer increases the attack surface of a home network by being accessible from an external location. Printers can be vulnerable due to insufficient authentication or authorisation. They may display personally identifiable information publicly, or they may have insecure software on their system. If proper controls are not in place, the printer can become a gateway for an attacker to deploy malicious software on, or pivot to attacking the network.
A number of strategies can be employed to harden the security posture of IoT devices within the home. The following is by no means an exhaustive list, but it does provide a high-level overview of how one can protect their IoT devices in the home:
Embrace Network Segmentation and Segregation
Network segmentation involves splitting your network into a number of sub-networks, which impedes lateral movement through the network. Network segregation involves placing rules on which devices can communicate with each other. If IoT devices have only limited access to the other portions of a network, this can limit the ability for an attacker to leverage vulnerabilities.
Change Default Passwords
Where authentication is available on IoT devices, altering the default password should be made a priority. Default passwords may lack the complexity required to be secure, and in some cases, may be widely publicised on the Internet. Choose new passwords that are long and strong, and unique from all other passwords.
It’s important to make certain that connected systems are also protected with secure and unique passwords. This means that if one device gets compromised, there is a greater amount of difficulty in reaching other systems on the network. See our article ‘Creating Secure Passwords’ for more information about how to create a strong and memorable password.
Change Default Usernames
Where the default username is able to be altered, it’s a good idea to change it. This means it’s harder for attackers to identify the account with the most privileges.
Set User Privileges
User accounts should be set to the least amount of privilege required. Additionally, user accounts should use the highest privacy settings and enable multi-factor authentication where available.
Enable Account Lockouts
If there is functionality to lock user accounts out after a certain number of tries, this should be enabled. This can hinder attackers who attempt to use brute-force attacks against passwords.
Enable Automatic Updates
Patching is the most effective way to protect a device from known software vulnerabilities, so long as it remains in support. It is good practice to set up IoT software to receive automatic updates if possible, as it means that vulnerabilities will be addressed in a timely manner.
Limit Administrative Capabilities
Disable or remove any unrequired functions that any IoT device provides. This limits the ability for attackers to leverage weaknesses that may be present in those unused functions.
Encrypt Your Transmissions
If your system has the security options to encrypt transmission, it is good practice to set encryption to an accepted standard, such as AES-256, and enable HTTPS where it’s available.
For further guidance on IoT security, OWASP has a comprehensive breakdown from a number of perspectives. See https://www.owasp.org/index.php/IoT_Security_Guidance for more information. The IoT Alliance Australia (IoTAA) also has an IoT security guideline, which provides guidance of where security and privacy in IoT devices currently stands. It can be found here: https://www.iot.org.au/wp/wp-content/uploads/2016/12/IoTAA-Security-Guideline-V1.2.pdf
While the above strategies and methods can be employed to increase security of IoT devices in the home, it becomes increasingly difficult to mitigate vulnerabilities for IoT devices in other industries such as health care or logistics. For example, devices that have less consumer-based options and/or support, such as insulin pumps, or pacemakers. For people owning these devices, it imperative that a thorough risk analysis of devices is completed, and that support and maintenance of these devices are ongoing.
The practice of security of IoT devices is still developing as the industry itself matures. The first wave of devices have come to market in a “fail fast, fix later” mindset, and it is imperative that moving forward, a more security conscious approach is taken.