IoT Security: How to Secure Your Internet of Things Devices from Hackers
More people are using the Internet of Things (IoT) than are taking adequate security measures to protect their devices from breaches, according to research by the Berkeley Research Group (BRG).
The BRG found that 85% percent of organizations use the IoT in their operations, but just 10% of organizations have an IoT security strategy [1]. This leaves 75% of organizations indefensible against a cyber attack on their smartphone, surveillance system, security system, or VoIP devices.
Many people assume that manufacturers resolve security protocols themselves before releasing their product, but, in reality, many finished devices are still vulnerable to attack. At this year’s DEF CON 24 Hacking Conference, for example, IoT Village researchers presented findings on 47 new security vulnerabilities in 23 different devices from 21 brands.
These brands include trusted names like Samsung, Subaru, Trane, QuickLock, and Elecycle [1]. Independent auditors, like the IoT Village, uncover vulnerabilities in popular products all the time. Earlier this year the security firm IOActive cause a stir when it revealed just how easy it is to hack the SimpliSafe smart home security system used by 300,000 Americans. Using just $250 worth of hardware and a basic coding knowledge, consultants at IOActive were able to record any SimpliSafe system’s four-digit pin and replay it to disarm the system.
IOActive, which claims that SimpliSafe rebuffed the agency’s attempts to alert it to the replay vulnerability privately, filed a report with federal security regulators and issued a consumer advisory against the home security provider. Simplisafe isn’t the only smart security system that’s easy to hack. One IoT Village researcher found that, in his research pool, 75% of the smart locks he tested could be broken digitally.
In a market when manufacturers don’t catch all the potential breaches or, in SimpliSafe’s case, don’t care about the potential breaches, independent auditors like IOActive and IoT Village are key to keeping IoT manufacturers accountable for the safety of their customers.
There are, however, also things that the user can do to protect their IoT:
1. When choosing IoT devices, research and purchase models that have passed independent audits. It is accepted security practice for software companies (like Google, who always does it) to make their code available to independent auditors. In general, the more transparent a company is about their code, the safer the program is against hackers.
2. Always change the default password on your network video recorder (NVR) immediately after installing a video monitoring system. The default passwords for common video monitoring systems are public knowledge and, if left unchanged, anyone with the know how to do so can access your camera feeds remotely.
Using a default password gives peeping toms and potential intruders a window into your home. In 2015, for example, a Russian site broadcasted live streams from 73,000 security cameras around the world using default passwords. Intended to raise awareness about online security practices, sites like this give anyone (not just hackers) a look into your home.
3. Secure your IoT devices with complex passwords. If any device is stolen, wipe it remotely, as soon as possible. The remote for IoT networks is the smartphone, so be especially vigilant about lost or stolen phones. While IoT networks make everything more convenient, they also give hackers with control of your device control of your organization or home. Protect your devices.
4. To protect your device passwords and usernames, only share information about your security system with others over an encrypted phone or email line. Encryption scrambles data sent over the internet so that it can’t be intercepted. It protects your data enroute from one user to another.
To check if a site uses encryption, look for the “https://” web address prefix and the green toolbar (in the Google Chrome browser) denoting the site has passed an external security audit.
