If you are an IoT device user, chances are that your device is riddled with numerous security issues. This post teaches you on how to stay secure if you are an end consumer with the love of Internet of Things devices, and how you can use them without compromising on the IoT security.
Internet of Things or so-called “Smart Devices” is the talk of the tech town currently. Every single month, 100s of new devices are being released with none or improper security protections in place.
Why IoT Security is non-existent?
The primary reason for the insecurity for these IoT devices is the lack of awareness, meaning the developers and smart device manufacturers don’t know how to make devices secure from vulnerabilities. Also, adding to it, the fact that the manufacturers often lack the bigger picture which is required to understand the security issues in an IoT device.
Another common misconception which we have seen through our interactions with the IoT developers and manufacturers is that most of the people still think of IoT security being only about the security of devices. However, if you actually understand IoT, you would realize that it is a combination of various different components which comprise an IoT ecosystem.
These IoT Components are:
- Hardware: the Smart Device or Gateway
- Web apps, Mobile apps, Cloud assets
- Radio communication.
So when you perform IoT security, ensure that you look at the entire ecosystem rather just a single smart device. Let’s dig a bit deeper into each of the above components:
- Hardware: Numerous vulnerabilities including exposed serial port, ability to dump firmware, bypassing hardware protections and more.
- Web Apps, Mobile apps, Cloud assets: All possible vulnerabilities which you could imagine – Authorization and Authentication flaws, Insecure endpoints, Insecure network communication, logic flaws and more.
- Firmware Security issues: Hardcoded sensitive information, ability to modify the firmware, no signature or integrity check etc.
- Radio communication: Capturing authentication and pairing mechanism to obtain keys, plaintext communication, replay attacks, MITM attacks, Jamming and more.
The above are just a few examples of the vulnerabilities and security issues you will find in the Internet of Things devices. It is the little pieces being secure and with secured interaction between them, which comprises the 360 degrees Internet of Things Security. With this blog post, my aim is to give you an overall perspective of how you could start building more secure IoT devices and have a discussion with your team and revisit the insecure devices that you have built in the past. This will also serve as a guide for the end-users or consumers who actually use these devices.
What to do for IoT Security as a consumer
Now, let’s pause for a moment and think of how we as a consumer would decide from a security perspective if we are evaluating various IoT solutions which we want to buy. As a consumer, we think of IoT devices from a mere functionality perspective and say – Okay, this is a smart thermometer or this a smart bottle and will serve this purpose in my day to day life.
We fail to understand the criticality of the fact that whether our data is going to be secure with this device or not, and asking the question that can I actually trust this device with sensitive and confidential information such as personal medical information or family vacation habits, is the question that we need to ask ourselves.
True, the understanding is limited but how you can apply the knowledge to understand the security of devices you are going to buy is critical. In case you have a bit of technical understanding, you can check out some of the other technical posts we have written on the topic of IoT Security:
- Firmware Analysis of IoT Devices
- Emulating and Exploiting firmware binaries
- Hacking IoT Hardware
- Exploiting IoT Enabled Smart Bulb Security
- and more.
Let’s now have a look at some actionable tactics and pointers which you can start using immediately in order to have a secure smart environment around you. Below are the 5 points which will ensure that your smart device is not easily vulnerable to malicious hacker attacks:
- Strong Password: Most of the IoT device users don’t change the default credentials which the device is shipped with. Based on our analysis of numerous smart devices, an astonishing 75% of them are shipped with same credentials for its entire product line, making it extremely easy for attackers to crack.
If you remember the most popular and widespread IoT botnet ever, Mirai, it relies on the vulnerability that millions of IoT devices were using default credentials which were extremely easy to brute force and crack. This also highlights the importance of the fact that you should always change the password of any IoT device that you purchase and use.
2. **Updating the firmware: **Updates are the key to ensuring that your device is loaded with the most recent security patches and is secured from the known threats. With every update, manufacturers patch identified and reported security bugs and take a step forward to harden the security of the product
If you are still using an old firmware version, you are risking the security and privacy of yourself and handing it over to the malicious hackers who are constantly looking for vulnerable targets.
In some of the cases, even though updating firmware would be a bit tricky, taking that extra effort in order to update the firmware would prevent your device from being compromised in the future.
3. Separate VLANs / Removing from the network: In case if you are using an IoT device on your trusted home or corporate network, always ensure that you have the IoT devices on a separate VLAN compared to the other laptops and personal devices. This will add a layer of protection from typical network-based attacks.
4. Stay Updated with the recent news and happenings in IoT security: Since IoT is evolving at such a fast pace, it is highly important that you stay updated with all the recent news and public vulnerabilities being disclosed or shared in the news about IoT devices.
5. Do your homework before buying “another” IoT product: I can understand the excitement and the adrenaline rush that comes with getting a new IoT gadget at your home or workplace, using it, showing it off to your colleagues and so on, which is perfectly fine. Even I am a tech enthusiast and love to buy all the various kind of IoT devices in the market. Just a word of caution here – do your research before you buy a new IoT device. Most of the devices which are launching these days in the market are not vetted for security and don’t even have a security team which could help them ensure the security of their user’s data.
This is even more important if you are going to trust the device with personal and sensitive information. Look at the kind of PII they are asking you (and not asking for but still collecting).
Overall, Smart IoT Devices are one of the biggest advancement in technology and is pushing the entire humankind forward. At the same time, it is important that we don’t let these technical advancements and new IoT devices create an insecure future where our privacy is non-existent.