The InsecureNet-of-Things: The state of IoT Privacy, Security and Safety
Digital technology and Moore’s Law have moved us along from the Computer Age to the Information Age. Now we are living in the IoT (Internet of Things) Age and it’s other counterpart or successor the Internet-of-Everything Age. It is a world where devices are interconnected via the Internet. Connecting electronic devices from home or the office requires an Internet connection and you can access it from anywhere using another computer or smartphone/mobile device. The more devices you connect — baby monitors, Internet cameras, DVR, lighting switches, security and alarm systems, wearables, fitness trackers, smart home appliances, HVAC systems— the more convenient it is to control your life. It is data driven with embedded sensors that gather information which can be accessed from the Internet. There is a tradeoff with security however. It is also the easiest way for hackers to gain entry to your home system so that is becoming an issue. The fact that you can access your devices from anywhere means it also allows others to access your devices from anywhere. As IoT devices develop with more advanced capabilities and features, hackers are going to look into exploiting their vulnerabilities. The need for securing your access to these devices becomes more necessary due to the threats the “InsecureNet-of-Things” imposes.
The Internet has no built in security or privacy for that matter. It has no built-in encryption to safeguard the data being transmitted. It is an open network that provides the pipeline to connect millions of users via their computers. Now it’s also connecting other devices that can be critical to daily life. Certain medical devices use IoT to interconnect patients with medical professionals. Without any guaranteed secure connection, if a hacker or bad actor were to gain access to let’s say a patient’s syringe injector there could be mal intent. Other medical devices monitor vital signs which can be accessed remotely. HIPAA regulations protect this type of information for patient’s privacy. It will be violated if a hacker is able to gather information from these devices and use it illegally. Some early IoT devices that used passwords to allow remote access did not provide encryption so it would be easy for hackers with software like packet sniffers to capture the password encoded in a data frame. Another thing that is critical are systems that are connected to the Internet that require physical operation, like autonomous cars, remote controlled vehicles and drones. If a hacker were to gain access to these systems that can be a huge safety risk. There have been exploits shown that allowed hackers to gain access to a car’s braking system and affect it while the car was on the road. Chrysler recalled 1.4 million vehicles after a pair of hackers showed that they could remotely hijack a Jeep’s digital systems over the Internet. A car’s ECU (Electronic Control Unit) can be compromised if it is IoT enabled without any security in place. This type of exploit is serious since it can affect public safety if this leads to accidents.
The best way to secure the “InsecureNet-of-Things” can be to follow the example corporate IT has put in place to secure remote access for their employees. Placing a security device between the remote user and the IoT device adds a layer of protection. Typically a firewall behind a router, or a Layer 7 appliance that provides intrusion detection and prevention with an AV solution. A router itself is not a full on security device, it just provides the network path to the Internet. For home users the router has become synonymous with the firewall as well since vendors can bundle the features together. In the corporate setting the setup is more complex, requiring more than 1 layer of protection. The router allows incoming/outgoing traffic but does not filter the data stream. The data would have to pass through the router and is then filtered at the gateway level which is the firewall itself. Vendors have also developed new security appliances called a UTM (Unified Threat Management) that bundle many features together inside a firewall which includes AV, IPS/IDS, antispam filter and even VPN access. Highly secure VPN tunnels create an encrypted link to an IoT device with end to end encryption which makes it highly secured. Most home consumers do not have these systems in place for their IoT and there is the problem.
Using a web interface, home users can access port forwarding features to open up ports on their router to allow remote access of IoT devices. Other IoT devices just require a WiFi connection and can be accessed directly via a web interface. Documentation should be available on how you can further secure your access, and it is worth going over before putting a device on the Internet. Certain Internet cameras with DVR require users to open ports on their home router to access the device. If the access to the camera is via a smartphone app, it should create a secure connection which can be verified with the vendor. If it is a web interface, that is another story. The IoT device’s vendor in this case programmed the device to connect to their server via the Internet using the WiFi connection and just requires the user to access it via a web interface. The good news is that most vendors now provide a secure access to their web interface using HTTPS, which encrypts your end to end connection. Make sure that the URL you access to your IoT devices web interface has a digital certificate using HTTPS. Another more secure way to access this would be via a VPN service or browser VPN to create a more secure connection. If the web interface is local to the device, without a digital certificate, that can be a red flag. There is no encryption at all when you access the URL using HTTP. The S in HTTPS stands for “Secure” and that is the type of connection your IoT device’s web interface should be using. Vendors who just provide simplicity for the sake of convenience could be held accountable if they release IoT devices that don’t comply with security and home consumers need to be aware of this. According to Craig Young of Tripwire:
“Many vendors in the IoT space seem to have little or no concern regarding the safety and security of their customers.”
There is not much IoT regulation or standards. So some industry professionals and vendors have gathered to try to make IoT more secure. ICSA Labs now offers a security testing program for IoT products, following the ‘CyberUL’ security certification program. These standards are continuing to develop, but in 2017 there are no IoT certified device specifications that have become industry standards on products. The lack of technical standards and proprietary systems really makes IoT security standards a complex issue. The IoT Cybersecurity Improvement Act of 2017 was meant for government use of IoT devices. The bill would require vendors of Internet-connected devices purchased by the federal government to make sure the devices can be patched when security updates are available; that the devices do not use hard-coded (unchangeable) passwords; and that vendors ensure the devices are free from known vulnerabilities when sold. For home consumers there is no bill to guarantee their security from IoT devices. Due to the increasing concerns over security, the Internet of Things Security Foundation (IoTSF) was launched on September 23, 2015. The IoTSF’s aim is to promote best practice and knowledge about Internet security. Right now companies are putting together their own solutions for IoT, while home consumers don’t have much in place. That is why the FTC (Federal Trade Commission) has urged companies to adopt best practice for IoT and there are also guidelines for IoT security on the FTC website (http://ftc.gov) which users can search. Network security vendors are also addressing these issues with new appliances and software that cover the most recent cybersecurity threats to the enterprise and IoT has become an important topic.
For home consumers here are ways to address security of your IoT devices:
- Do not use a blank password, the devices default password or common password to access your IoT device. Use a strong and reasonably not easily guessable password. Password protection is the most basic form of security.
- Change the default username of the device’s management console.
- Use the latest software provided by the vendor. Updating the software makes sure it is compliant to the product.
- Make sure you update the latest firmware from the product’s vendor since these often patch vulnerabilities and plugs security holes.
- If you access your device via a web interface over the Internet your URL connection uses HTTPS for end to end encryption. If not, then ask the vendor technical support how to secure the connection. If accessing locally, HTTP should be fine, so long as it is not shared over the Internet and only your computer can access it using a non-routable IP address.
- There are third party IoT Security Devices that can be used to protect your IoT devices at home. Do your research before buying one.
- When accessing your IoT device from public WiFi use a VPN connection since most public WiFi are not secure.
- Use WPA2 for WiFi security when connecting your IoT devices at home.
- If your IoT device comes with other security features, enable them to provide more layers.
- Ask for professional help if you do not understand how to implement security for your IoT device.
There are so many ways IoT devices are implemented, we can go on and on with further discussions. The convenience IoT provides us to connecting our devices is a benefit, just don’t ignore the threat to your security, privacy and safety.