The proliferation of Internet of Things (IoT) is hard to miss. Companies issue breathless announcements of new devices that can be connected to the internet and the brave new world that will follow … if you just buy the latest gadget.
Today, no smart home is complete without cameras, alarm systems, door locks, thermostats, baby monitors, garage doors, sprinklers, and other appliances jumping onto the internet. Of course, with every disruptive new technology, there are downsides to the benefits. Unfortunately, manufacturers have been slow to include even basic security features with all of these new IoT devices.
Many people believe the devices on home networks are virtually invisible to the outside world. However, a lot of these devices have been programmed by manufacturers to “phone home” and set up accounts to enable features and access them with your smart phone.
Other people believe in “security through obscurity.” After all, there are SO many devices out there, how would someone notice a few more? These people were actually correct … at first. Hackers used to have difficulty finding all of those devices. But not anymore.
IoT search engine
If you want to find something on the internet, you use a search engine. Now, there’s a search engine specifically for IoT devices. Normal search engines work by “crawling” the internet and logging web sites when discovered. IoT search engines do the same thing, but they look for exposed IoT devices. One famous example in the security community is the Shodan IoT search engine. If you haven’t heard of it, you should acquaint yourself, especially if you use IoT devices in your home or business.
With Shodan, users can enter search criteria, or use one of the pre-built searches to find internet-connected items, like webcams. Each IoT device has been carefully cataloged so hackers (and testers) can find them.
IoT devices discovered by the search engine are sorted by various fields, and you can click down to an individual device. The above is an example of a device in the U.S. You’ll note that the system even makes an educated guess of the location of the IoT device based on the IP address.
With this information, hackers can attack the device. And it’s not as difficult as it sounds. Manufacturers of these devices publish user guides on the internet, which typically include default passwords. These can be obtained with a simple online search. Many consumers don’t bother to change those passwords, making access to hackers far too simple.
This problem is especially important to commercial users of IoT devices to monitor and manage manufacturing, security cameras, and other applications. As bad as it is for a residential user of IoT devices to be hacked, it’s worse for businesses. Once hacked, an IoT device can also be used as a pivot point to scan and gain access to other devices and systems in the network.
In addition, even if the devices aren’t used in a direct attack on the organization, they can be re-programmed to do other nefarious actions on behalf of the hacker. For example, a recent Distributed Denial of Service (DDoS) attack was launched with the aid of millions of webcams and other devices. Yes, that’s right—millions. Attackers reprogramed these items to go to a single name server run by DynDNS and simply overrun it with traffic. This, in turn, interrupted access to many other web sites, including Amazon and Twitter. The attack was damaging and the owners of those devices probably never knew they had been compromised.
What can you do to secure your IoT devices?
First, read the descriptions and labeling carefully when purchasing an IoT device. It should provide some indication that it uses encrypted data (AES-256, SSL, etc.).
Don’t purchase products that appear to be poorly designed. For example, if a device allows you to use a browser to configure it, does it use HTTPS? Does the device use the latest WPA2 Wi-Fi encryption? If the device communicates to a cloud service, does that service require strong passwords?
Next, when installing and setting up your devices, be sure and change the default passwords to something long and difficult to guess.
Make sure you observe the device over time. If it begins to act erratically (such as communicating when you are not using it, or slowing down at odd times), you might want to investigate. It might have been hacked.
Finally, let friends and family know the importance of IoT security and to be careful as well.
Never miss another article. Sign up for our newsletter.