Hitesh Kargathra, lead security consultant at Falanx Group, shows us what it takes to increase the security of our smart devices in this hyper-connected world.
“Smart”, or “IoT,” devices are all around us – in our living rooms, kitchens, bedrooms, garages, bathrooms and cupboards. We use them to automate lighting, secure our homes, to create a more immersive sensory experience when watching TV, listening to music and even to alert us to fires and pollutant gases to keep our families safe.
YouGov’s Smart Homes 2018 Report indicates that close to a quarter of Britons (23%) own one or more smart home device (excluding smart meters), while one in ten now (8%) have two or more, underlining the IoT sector’s growing prominence. By 2020, it is predicted that there will be 26 billion connected devices globally - a 30-fold increase from 2009.
However, with the proliferation and interconnectedness of smart devices, and our increasing reliance on them, comes an equally sizeable, pervasive and severe set of security risks. There are billions of IoT devices and therefore billions of attack vectors for hackers to exploit.
If everything in our homes become “smart”, as some commentators predict, then will our lives be enriched or at greater risk of being hacked or breached? For this reason, the interconnected power of IoT, and the devices that comprise it, are a double-edged sword.
Also of interest: Can new authentication methods change business?
Security measures: “the basics”
Firstly, it is imperative to change all default passwords on smart devices to unique, strong passwords. Where the smart device uses a cloud service, it is also advisable to enable 2-factor authentication (2FA) where available. For example, you could use a strong password and an additional step such as an SMS code to access the service and make said devices more secure.
Secondly, it is recommended that you purchase devices and services from reputable brands and retailers and avoid the smaller brands that may be harvesting your data to supplement their revenue or have poorly secured cloud services that “support” your device.
Moreover, you should try to gauge whether the brand or manufacturer you buy from is likely to be operating in the coming months and years. If the brand or manufacturer becomes disinterested in a product line or goes into administration, their cloud service may cease to operate, and so too will certain features of your device(s). With such a reliance upon external services, as well as researching the device that you are purchasing, you should also research where you are purchasing it from.
Thirdly, always turn off devices that are not currently in use – a simple but effective and highly important security measure. For example, always ensure internal cameras are completely powered off when you are at home and only enabled once you leave. External cameras on the other hand are more useful when on, recording and alerting any movement around the clock.
Finally, give serious consideration to connecting vital services to the internet. For example, you put yourself at greater risk of facilitating physical access to your home if your house alarm or IoT door locks are compromised by an attacker.
Also of interest: Usage of IoT devices on the rise despite serious security concerns
The more “technical” security measures:
If you want your further increase the security of the smart devices on your network, it is also vital that you follow these keys steps.
Firstly, you should segregate the network so that trusted devices, such as phones and PCs, are part of a separate logical network (VLAN) or are discreetly routed directly to the internet without any interaction with other devices on the network. Depending up the equipment connected to your internet connection, this may be completed through altering the configuration of your router. Isolating IoT devices significantly reduces the chance of an attack propagating across other devices.
Secondly, you should frequently monitor your wireless network to ensure that only allowed devices are connected to your home network.
Finally, rather than allowing some devices, such as internal security cameras, to connect to their cloud service, you should instead direct them to your own CCTV monitoring service within your home (e.g. NAS device or a PC). In doing so, you are able minimise the risk of CCTV footage being intercepted. The local storage device can then be used to automatically upload footage securely to your own cloud storage service.
Also of interest: Honesty, humility and humour with Thom Langford, CISO at Publicis Groupe
Embracing IoT securely
Ultimately, your outlook should be one of sceptical readiness - assume that your IoT devices will be attacked and possibly compromised at some point. With that in mind, the idea is not simply to stop a hacker from accessing your devices, but also to limit what they are able do after the device has been compromised. Isolating devices from each other and applying layers of security greatly reduce the opportunity for a successful attack and stunt the ability for a successful attack to impact more devices.
There are also the privacy concerns and trade-offs with IoT devices. Where at all possible, you should try and limit the amount of data that is sent to manufacturers cloud services, and unless you need to do so for payment purposes, you should rarely use real details or your main email address to sign up to these services. Our private data is a commodity. If you are going to provide this data, then you need to ensure that you get something of value in exchange.
Increasing the security and privacy of your IoT devices may in some instances mean that you sacrifice some of the convenience. The decision needs to sit with the IoT consumer as to where the balance between security, privacy and convenience lies.
To hear more about smart home security, you can listen to the following Falanx Group podcast.
Note: In October 2018 the UK Department for Digital, Culture, Media and Sport (DCMS) published a Code of Practice for Consumer IoT Security which provides guidelines to IoT Device Manufacturers, Service Providers and Mobile Application Developers to enhance IoT device security and privacy. If widely adopted this will support consumers in improving the security of their IoT devices.
There are already clear indications that large organisations such as HP, Centrica and Samsung are positive about implementing these guidelines. However, the key question is: how widely adopted will the guidelines be across smaller organisations who are often focusing on low-cost versus an ongoing service commitment for their IoT devices?”