More than 200 million homes already have at least one “smart” home device. So you’d think buying a safe, secure internet of things (IoT) device would be easy.
Unfortunately, it’s not that simple.
The sudden flood of internet-connected devices in our most intimate spaces is occurring without enough concern for security or privacy. Manufacturers often push products that fail to provide the most basic protections. And crooks are taking note.
F-Secure’s decoy honeypot network that monitors cyber attacks around the world now sees more Mirai malware — which targets insecure IoT devices like webcams and routers — than any threats targeting PCs or smartphones.
Criminals know they can now target homes through flimsy IoT devices. And consumers often have no idea if the equipment they’re installing is secure or not.
And regardless of how locked-down your connected home device is, the privacy issues that come from filling our private lives with connected devices are complex and require tremendous trust in third-party providers.
The IoT revolution is just beginning, and it will only move faster for the foreseeable future. Here’s what you need to know if you’re looking for a connected home device.
Consumers are finally getting some help
It’s been years since both the FBI and Interpol warned consumers about the security problems with many IoT devices. While legislation that requires manufacturers to improve IoT device security has been debated in the United States and proposed in the United Kingdom, manufacturers have never been held to any legal standard.
That’s about to change.
On January 1, 2020, California’s SB-327 —the first law that regulates the IoT—goes into effect, and aims to improve the security of connected devices. While this is a historic step, consumers should not expect the challenge of securing a smart home to disappear.
F-Secure’s Timo Laaksonen notes that SB-327 only requires makers “to implement reasonable security measures in light of the service that they are providing. So how vague can you be?”
But that doesn’t mean SB-327 is useless.
Strong passwords would be a huge improvement for the IoT
“One thing that is definitely going to be better is that default passwords are no longer accepted,” Timo said. “And if you look at the data breaches, 75% are stated to be caused by weak or recycled passwords.”
Mirai malware feasts on weak, guessable, or hardcoded passwords. These security scourges are number one on the list of Open Web Application Security Project IoT Top 10, “which represents the top ten things to avoid when building, deploying, or managing IoT systems.”
SB-327 hopes to change this giant hole in IoT security by requiring “a preprogrammed password unique to each device manufactured” or “a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.”
This part of the law points to the single most important things you can do when you’re looking for a new IoT device. Find out if it has a unique password preprogrammed. If it doesn’t, does it allow you to generate a new one immediately?
How can you find out if an IoT device enables strong, unique passwords?
Just Google it.
What the FBI recommends when looking for a ‘Smart’ TV
Telling someone to “Just Google it” doesn’t seem like very advanced cyber security advice. But IoT security is generally not very advanced. Most people don’t even dothe basics.
For Black Friday 2019, the Portland Field Office of the FBI issued a list of tips for consumers looking for Smart TVs during their holiday shopping. “Google it” is a way to summarize nearly all of them.
Here are the FBI’s tips:
- Know exactly what features your TV has and how to control those features. Do a basic internet search with your model number and the words “microphone,” “camera,” and “privacy.”
- Don’t depend on the default security settings. Change passwords if you can – and know how to turn off the microphones, cameras, and collection of personal information if possible. If you can’t turn them off, consider whether you are willing to take the risk of buying that model or using that service.
- If you can’t turn off a camera but want to, a simple piece of black tape over the camera eye is a back-to-basics option.
- Check the manufacturer’s ability to update your device with security patches. Can they do this? Have they done it in the past?
- Check the privacy policy for the TV manufacturer and the streaming services you use. Confirm what data they collect, how they store that data, and what they do with it.
These tips generally apply for any connected home device you’re considering.
The big names may have their own problems
In F-Secure’s IoT Threat Landscape Report released in early 2019, F-Secure’s Mark Barnes—who was the first person to hack an Amazon Alexa—noted that many of the larger manufacturers such as Amazon and Google “have done an effective job of securing their mass-market devices.”
However, all the security in the world doesn’t matter if the private data manufacturers allow themselves to collect does not remain private.
A letter from five U.S. Senators in November asked Amazon CEO Jeff Bezos to address privacy and security concerns about Ring, the company recently acquired by the ecommerce giant for $800 million
“Ring doorbells are an example of a genuinely useful IoT and sold world-wide,” Mark said. “ However, the reports of lax security practices and lack of respect for privacy within Ring is disturbing given that we are entrusting them with private information and footage.”
The benefits the IoT offers always come with risks.
“Naively we might assume that these third parties will protect our data and treat it with respect, but this has time and again proven to not always be the case. Often the trade-off for having cheap IoT devices is that a large part of the business model for the vendors is the monetization of our personal data.”
Consumers need a simple solution
Even if all manufacturers begin taking IoT device security seriously and consumers begin researching the password and privacy policies of every model they purchase, millions of insecure IoT devices will still be in operation, vulnerable to attacks.
This “IoT asbestos,” as F-Secure’s Mikko Hypponen calls it, will likely last for decades—if not longer.
Securing the connected home starts with a secure router that keeps out probing attackers. Unfortunately, many, if not most, of the routers on the market contain known vulnerabilities.
Consumers have enjoyed the benefits of the explosion of cheap IoT devices but have paid with their security and privacy. The only way to fix this massive problem is to start now. Starting with a router that secures all of your smart home devices against cyber attacks is the simplest and smartest way to begin.
Categories
