IoT Device Security At Home

September 20, 2017 admin Internet of Everything, Security

Credit to Author: William “Bill” Malik (CISA VP Infrastructure Strategies)| Date: Wed, 20 Sep 2017 15:16:10 +0000

My girlfriend read something that worried her about the security risks posed by Internet of Things (IoT) devices at home. She had recently purchased a new TV, and she has an older home security system. She asked if her privacy might be at risk.

We talked about the kinds of problems an unprotected home network can cause.

These include, in no particular order:

Compromised cable modems can give unauthorized Internet access
Malware-infected PCs can reveal personal information and passwords to financial applications
Infected PCs and IoT devices can host bots, launching DDoS attacks, spam, and fake social media posts
Hijacked storage (as on smart TVs) can store stolen data
Compromised home sensors reveal occupants activities and absences
Compromised sensors can post false usage, increasing utility bills
Subverted monitors can let dysfunctional individuals blurt hate speech into the home

We decided to run an informal audit.

First, we looked at the cable modem. Built in 2004, it had no available updates. We contacted the internet provider and ordered a replacement. It arrived after a week or so. The new device was manufactured in 2015, so the first thing we did was update its firmware – there were cumulative updates outstanding. We turned off “SSID broadcast” and set up the “guest” network. Next, we moved the IoT devices from the primary network to the “guest” network so they could not communicate among themselves or eavesdrop on the active devices.

We looked at what was talking to the network, and found over a dozen more devices:

1. The smart TV

2. A wireless printer

3. Her laptop and mine

4. Her phone and mine

5, A desk-side machine used as a media server

6. The home security system:

	Motion detectors Video cameras Sensors monitoring carbon monoxide, water in the basement, and smoke

7. The remotely-readable electric meter

The smart TV was recent, so patching was simple. Ditto for the phones and PCs, although some phone manufacturers are better than others providing timely patches. The printer took updates from the manufacturer’s Support site: Drivers and Downloads. The home security system has proved to be a bigger challenge. The vendor is moving a bit slowly providing the most recent capabilities. It may be enough to consider switching technology.

Are we safe? We are safer. We do not enable Bluetooth, so the BlueBorne vulnerability will not affect us. The electric meter is outside our control, which is a problem. It could reveal when the house is empty. My car is “e-chatty,” but not with her home systems. Her car is older and does not chat with any external networks.

Homeowners should know what they have in their homes, and keep it secure. What should a homeowner do?

Identify all devices that connect to the Internet from your home.
Make sure they have current software patches.
Limit access to these devices from the internet.
Isolate them so they cannot communicate with one another, or scan your home network.
Set your cable modem or router to minimize inappropriate traffic.
Do not broadcast your SSID.
Use the “guest” network to isolate your active systems from passive IoT devices
Change the default passwords to your devices (you can change them back by resetting the device, if you need to).

Protect yourself against malware. Do not click on suspicious email attachments or links. Use long passwords. NIST has reversed its earlier guidance about complex passwords (upper case, lower case, special characters). Instead, use a long easy-to remember password such as “largelightening884” – the one from an older router I once had. Do not use that one. Finally, use a cross-generational security suite that provides layered protection. Trend Micro makes one.

Let me know what you think! Post a comment below or tweet me: @WilliamMalikTM.

http://feeds.trendmicro.com/TrendMicroSimplySecurity