Change Default Passwords
According to Brad Ree, CTO of the ioXt Alliance, too many IoT devices have universal, simple passwords, so you should change default passwords and make sure not to reuse passwords. Take advantage of new authentication options, such as Google Authenticator and biometrics, including fingerprint or facial recognition, he adds.
Indeed, default passwords are a major problem across industries because manufacturers share them across product lines and product groups, says Jeremy Boone, technical director at NCC Group. Be aware that more states will pass laws banning default passwords as did California and Oregon. For example, under the California law, single, hard-coded passwords are not allowed, and every IoT device must either have a unique password or require the user to generate a new password before using a device for the first time.
Think with your head
Erez Yalon, director of security research at Checkmarx, points to using some common sense. Think about the kinds of devices you bring into your home and the connectivity they require, he advises. For example, does your baby really need a baby pacifier with an IP address?
Also, just about anything you bring into your home today has a camera and microphone, so start by being aware of the capabilities the unit has and keep it away from your workspace. In addition, turn off IoT devices or put a piece of tape over the camera or microphone when not in use.
Inventory your assets
Consider borrowingg a page from enterprise security pros by creating an inventory of your devices, says Daniel dos Santos, research manager at Forescout Technologies. Even though there’s a lot of focus on the smaller IoT devices, such as babycams and monitors, threat actors are more focused on laptops and smartphones.
“That’s where people store their sensitive data, like their bank accounts and credit cards,” dos Santos says. “And those devices are susceptible to being encrypted by ransomware.”
Segment the home network
With so many devices coming into the home, think about creating a subnet — a segmented piece of a larger network — for your IoT devices, the ioXt Alliance’s Ree says. Most home routers let you run two wireless network names, known as SSIDs, so especially if you’re working from home, you can run one SSID for your work devices and a second one for your home devices and appliances with IP addresses.
Checkmarx’s Yalon echoes Ree about thinking in terms of segmenting devices as they come into the home. For example, when you bring a new device into the house, one of the first questions to ask is which network segment it should reside on.
Buy products from companies that care about IoT security
IoT devices are small devices that often cost $10 or $20 — $100, tops — so margins are thin. That’s why so many IoT manufacturers don’t build security into their devices. On smaller-ticket items, there may not be much of a choice, but for some of the more prominent IoT devices, Checkmarx’s Yalon advises to take take note of how the different companies respond once security researchers point out vulnerabilities in their products.
On two different occasions, once with an Amazon Alexa and also with Google-Samsung on an Android camera, Checkmark found some flaws, and both times the giant tech companies took responsibility and responded within a few weeks with security patches, Yalon notes. Google surprised Checkmark by first releasing a “quick-and-dirty” fix almost immediately to make sure its users were safe, even at the expense of temporarily deactivating a specific feature. Once that was out the door, Google started working on a long-term fix. Amazon, too, was very collaborative and transparent during the entire disclosure and remediating process, Yalon says, not only mitigating the specific attack vector, but learning what the company did, thinking ahead, and placing safety measurements for other attack scenarios.
Look for different features in products that make it easier to reset the device, NCC’s Boone adds. “Take the time to see if there are any added security features and what the security posture of the company is before bringing something into your home,” he says. “At least for now, people should buy from first-line suppliers and known manufacturers.”
Patch and update frequently
Make patching and updating software on your IoT devices a regular part of your routine, Forescout’s dos Santos says. Also, ensure the latest version of the firmware is loaded on the device before using it, as well as turn off Universal Plug and Play (UPnP) on IoT devices and enable https so all web browsing activities are encrypted.
The ioXt’s Ree advises checking to see whether the security has been enabled on your printers or home security cameras. Typically, manufacturers don’t lock down items such as these, so the bad guys can enter your network by sneaking through your peripherals and IoT devices. You can check by entering the IP address of your browser on the command line, and the interface for the product should come up. In many instances, it takes three or four steps to arrive at the passwords link — and that’s if you get past other obstacles because the browser may not tell you to click “Advanced” on the settings.
“There really needs to be an easy way for consumers to get on the settings and in one or two clicks set the password for the printer,” he says. “Most consumers wouldn’t even think to check their printers and set the password.”
Look for 5G SIMs
So much has been written about 5G technology, though much of it is still hype. However, later this year and into the first part of 2021, start looking for 5G SIMs in standard IoT devices, says Jimmy Jones, telecom business development lead at Positive Technologies. You will benefit by getting the same kind of authorization, authentication, and encryption that you get on your smartphones and on most standard IoT devices.