There are no IOUs with the Internet of Things
As consumers connect more and more devices to their home networks, their homes become more and more vulnerable to cyberthreats. And while many people are aware that these devices, collectively known as the Internet of Things, generally lack strong security, few seem to understand how a lack of protection could personally affect them.
If your “smart” thermostat gets hacked, for example, you might shrug it off as a low risk; after all, it contains very little personal information on it, right? Well, once the device is penetrated, your network’s intruder can pivot to other connected devices—like your laptop, where you store high-value data.
Attackers generally aren’t interested in poking at an individual device; they target tens of thousands of devices to breach as many as possible. That typically happens through one of three types of attack: distributed denial of service (DDoS), which crashes computers by overwhelming them with generated traffic; ransomware, which locks users out of their data by encrypting files or entire computers; and increasingly, cryptojacking, which taps the compute power of connected devices to mine cryptocurrencies like bitcoin).
READ MORE ON THE CONNECTED HOME
FBI’s router reboot call reminds us why to check for updates
IoT regulation is coming, regardless of what Washington does
3 tips to secure your connected home
Shut the front door: The state of the ‘smart’ lock
5 questions to ask before buying an IoT device
4 ways to protect your data when using Google Home and Amazon Echo
How to secure your home Wi-Fi
Security researchers typically let manufacturers know about the vulnerabilities they discover. For various reasons, they sometimes publicize their discoveries, including exploit code, before a patch is available. And attackers often start with that code.
The recent Mirai and Reaper/IoTroop botnets show us two different approaches to exploitation. Mirai infected connected devices via default administrator scripts, where device owners neglected to change the factory-issued passwords. The attack resulted in the largest DDoS ever seen up to that point, and had worldwide impact. Reaper/IoTroop spread by attackers mass-exploiting vulnerabilities in 70 different consumer devices.
Reaper infected more than a million devices before being discovered. These devices are now (mostly) patched, though for several reasons, IoT patches are rare.
Manufacturers don’t always develop patches for their connected devices. And when they do, they don’t always push them through in automatic software updates or otherwise make them easy for consumers to install. Consumers, in turn, might be wary of a potential domino effect a patch of one connected device might have on another; more often, they simply ignore, or don’t even become aware of, a patch advisory.
In 2015, for example, a particularly dangerous exploit called Stagefright began attacking Android devices and spread widely without user awareness. And nine months after its discovery and patch release, about 35 percent of affected phones worldwide remained unpatched.
Staying on top of IoT patches
To help consumers learn about how (and, moreover, why) to protect their in-home connected devices, my company, Grimm, created the Howdy Neighbor Smart House model. Exposing common oversights in IoT development, configuration, and setup, it simulates how attackers with varying skill levels attack smart-home devices, from webcams and power meters to HVAC systems and TVs.
In a Howdy Neighbor simulation, for example, a person setting up a home security webcam is prevented by its design from updating its default password with a more complex (and therefore more secure) password. Attackers then compromise the webcam in a mass attack, using published exploitation code. Once inside the customer’s network, they steal photographs, tax forms, and bank account information by automatically taking over other devices on the network with the same approach.
This scenario is far from an impossible one. And as tools like Censys.io and Shodan.io continually scrape the Internet and locate the Internet Protocol addresses of vulnerable devices, it is likely to become more common. Armed with IP addresses and simple code, also found online, attackers could relatively easily build automated campaigns against thousands of devices at a time.
So how can consumers protect their home networks?
- Update your connected devices’ default usernames and passwords.
- Put all of your connected devices behind a firewall. If attackers can’t touch them, they can’t do anything with them.
- Apply patches. It’s difficult to keep up with the number of connected devices in your home. So make time at least once a year to do a full inventory and apply patches to everything. Think of it like spring cleaning or tax day (annoying as hell, but important).
- Segregate your Wi-Fi networks. Your smart thermostat shouldn’t be on the same network as your computer. Create one IoT network on your core router, and use a separate network on the same router for more sensitive devices.
- Extra credit: Create an email address just for registering these devices. If you don’t have a router that allows you to create a segmented IoT network, strongly consider upgrading to one that does.
Manufacturers have thus far not been held accountable for the lack of security on their connected devices. They don’t suffer negative consequences for selling vulnerable devices that make our interconnected reality less secure. And from a security standpoint, there is no minimum bar to market for connected devices.
Objective, standardized data sharing and security labeling, similar to nutritional guidance found on food packages, will help consumers make better choices about the devices they connect to their home networks. And improved planning for and accountability along the full security life cycle will help (and force) manufacturers to keep home networks safer.