IoT security: Defending a young industry from attack
As the IoT industry matures, it’s safe to say we’re well past “early adopter” phase and seeing broader development and deployment. While the prospect of a more established and stable IoT environment is exciting, we’re not there yet. What we are seeing is that the space is showing its youth, and along with it, its insecurities.
Many new concepts and technologies skyrocket to peak interest and popularity before all of the appropriate security measures are put in place. The initial focus is on usability, functionality, and the consumer experience as a whole – what need or inconvenience can we address with the edgiest, coolest product possible?
As the industry progresses, we’ll continue to see varying degrees of security and privacy postures within these products. Devices made by higher-end, well-funded, and better supported vendors, such as Nest, Ring, and Canary who use cloud-backed solutions, have a strong security track record (to date). Cheaper, stand-alone devices produced by off shore manufacturers using out-of-date firmware should worry security professionals and consumers alike. They ask the user to poke holes in their own firewalls, or require a certain level of skill to setup properly – which is a tough ask for most users not familiar with anything beyond basic networking. It leaves a large margin for error.
In an ideal world, security would be invisible. Plug and play. However, the security around new products or technologies often fails due to human error – even if the product is free from technical security defects. This is a reminder the risk end users pose to their own security, much less that of an enterprise, will be ever-present. There will always be new technology and there will always be the user. The term “user error” is not going to exit our lingo any time soon – so we need to ensure we’re looking at the big picture.
As long as people are developing and using products, there will always be the “human” factor. People make mistakes, and are limited to the knowledge and experiences they’ve had when making judgement calls. When faced with a potentially compromising situation, the ideal outcome is that an employee has been trained well enough to deploy and use an IoT system avoiding or minimizing the risk. There is no such thing as “zero risk,” so while we can apply technical fixes to technology, end users are also “patchable” – but each requires ongoing maintenance as part of an organization’s security efforts.
In taking a step back, the biggest IoT risk lies in four main areas: a brand’s ability to develop secure devices from the get-go, an enterprise’s focus on educating employees on the risks these products pose to their company, the ability of the user to securely deploy IoT devices, and the consumer’s level of knowledge on how to keep their personal information secure from malicious actors while using these devices.
I use several home automation or IoT devices – they make life easier as a consumer, and that’s why they’ve taken off in popularity. As the obsession with IoT pushes ahead, enterprises are now leveraging them for logistics, data analytics, and automated processes. Prioritizing a high level of awareness, proficiency and education on identifying threats is imperative in a world where security is not always the main focus of new-to-the-market products or applications.
The biggest piece of advice I have for consumers is to keep in mind that the more devices we add to our homes, networks, pockets, cars and lives, the more data we are exposing to attack. For example, if your cloud-based security camera is compromised, an attacker could record everything said in your house. The solution? Use a strong (and unique) password for your security cameras and consider disabling audio recording. Log in to your account every now and then and note any unusual changes to your account or configuration (e.g. if audio is turned on again), and evaluate if you need the cameras inside your house or other sensitive areas.
Other security tips to keep top-of-mind include:
- Always change the default password of your devices (if applicable).
- Use strong (and unique) passwords on any supporting cloud services accounts.
- Do not enable UPnP (universal plug and play) on your router or firewall unless you know what you are doing.
- If you are savvy enough to manually setup port forwarding on your router or firewall, consider limiting the IP ranges that are allowed access. For example, if you will only ever access the device from your work, only add your work’s IP address to your firewall.
- Update the firmware of your devices often. If the device supports auto-update, enable it. If not, check with the vendor’s web site often or sign up for their newsletter.
- Think about what the device collects or what it has access to (e.g. video, sound, temperature, etc.) and then think about the worst case scenario if that were to be available to anyone on the Internet.
Enterprises and small businesses alike should do their due diligence in researching which IoT devices have the best security defenses built into the system, and look to security education and training to make sure employees are aware of the potential threats involved with inevitable vulnerabilities in those devices.
We can expect to see the IoT industry respond with better standards and more mature offerings, but at the end of the day, technology has its limitations. Employee awareness can end up being the strongest line of defense against IoT attacks.