Most readers here may have heard or read about the predictions of the upcoming doom, which come from the proliferation of less secure “Internet of Things” or IoT devices. Loosely defined as any gadget or gizmo connected to the Internet, but most consumers may not begin to know how to protect, the Internet of Things, from security cameras, routers and digital video recorders to printers, wearables.
Throughout 2017 and 2018, a large number of botnet attacks consisted entirely of hacked IoT devices, and many experts warned that Internet security prospects were bleak. But the future of the Internet of Things does not have to be so bleak. This is a primer on maximizing the opportunities for IoT things to become a security responsibility for you or the entire Internet.
–Rule#1: Avoid connecting devices directly to the Internet – without using a firewall or in front, by punctuating holes in the firewall for remote access. Putting your device in front of a firewall is often a bad idea because many IoT products are not designed with security in mind, and accessing these products over the public Internet may invite attackers to your network. If you have a router, it may also have a built-in firewall. Place your IoT device behind the firewall as much as possible.
-Rule#2: If possible, change the default credentials of the thing to a complex password that only you know and can remember. If you do forget the password, it is not the end of the world: most devices have an embedded reset switch that can be used to restore factory defaults (and credentials). Here are some suggestions for choosing better suggestions.
At the beginning of rule #2, I said “if you can” because from a security point of view, the design of IoT devices – especially security cameras and DVRs – is very bad, even if you change the default password to the built-in web interface of the item. There is nothing to stop what can be accessed and vulnerable once connected to the Internet.
In addition, many of these devices are found to have hidden, undocumented “backdoor” accounts that an attacker can use to remotely control devices. This is why Rule #1 is so important.
-Rule#3: Update the firmware. Hardware vendors sometimes provide security updates (called “firmware”) for software that powers their consumer devices. Before using IoT, it is a good idea to visit the vendor’s website and check for any firmware updates, and check regularly for any new updates.
-Rule#4: Check the defaults and make sure that features you may not need or need, such as UPnP (Universal Plug and Play – can easily poke holes in the firewall without your knowledge) – are disabled.
Want to know if there is a loophole in the router’s firewall? Censys has a nice scanner that can give you clues about any cracks in the firewall. Browse to whatismyipaddress.com, then cut and paste the generated address into the text box of Censys.io, select “IPv4 hosts” from the drop-down menu, and click “Search.”
If this sounds too complicated (or your ISP’s address is on Censys’ blacklist), check out Steve Gibson’s Shield’s Up page, which includes a click tool that can provide you with information about which network gates or “ports” might be Open or expose on your network. A quick Internet search of exposed port numbers can often produce useful results, indicating that your device may have been stuck in a hole.
If you’re running anti-virus software on your computer, consider upgrading to the “Network Security” or “Internet Security” versions of these products, which come with more feature-rich software firewalls that make it easier to block traffic into and out of specific traffic ports.
In addition, Glasswire is a useful tool that provides a full-featured firewall and tells you which applications and devices are using the largest bandwidth on the network. Glasswire recently came in handy to help me determine which application uses gigabytes of bandwidth per day (the original software version of Amazon’s software client has a glitch update).
-Rule#5: Avoid using IoT devices with built-in Peer-to-Peer (P2P) functionality. P2P IoT devices are known to be difficult to protect, and research has repeatedly demonstrated that even remote firewalls can access them through the Internet because they are configured to constantly look for ways to connect to a global shared network so that people can access them remotely. For this example, see the previous story, including why this is why people are afraid of the Internet of Things, and researchers find fresh feed for IoT attack cannons.
-Rule#6: Consider the cost. Keep in mind that in IoT devices, cheaper is usually not better. There is no direct correlation between price and security, but history has shown that devices that tend to tilt toward the lower end of the same price range tend to have the most holes and backdoors with minimal vendor maintenance or support.
After pleading guilty to several people who created Mirai (one of the largest IoT malware threats in history) last month, the US Department of Justice issued a series of tips on protecting IoT devices.
One final point: I realize that those who may need to read these skills are the least likely to know that they need enough care to take action against them. But at least by taking proactive steps, you can reduce the likelihood that IoT events will lead to global IoT security issues.
Image source: Pixabay