FBI Warns About IOT Vulnerabilities

IOTOne of the major trends in technology is the proliferation of smart devices, also known as the Internet of Things (IOT).   The FBI recently released a public service announcement titled “Internet of Things Poses Opportunites For Cyber Crime.”  More and more devices are are coming with software, processors and network capability, and connecting to our home and business networks.  This is creating a new target for cyber-criminals.  

What sorts of devices are we talking about?

  • Automated thermostats and HVAC controls
  • Automated lighting controls
  • Security systems
  • Closed circuit and WiFi video surveillance equipment
  • Baby monitors, many with video live streaming capability
  • Medical devices such as heart monitors and insulin pumps
  • Wearable fitness devices like the FitBit
  • Smart TVs and DVRs
  • Smart appliances such as refrigerators
  • Web connected office printers
  • Web connected gaming platforms and entertainment devices like the Roku or Fire Stick
  • Fuel monitoring systems
  • And of course, computers, laptops, tablets and smartphones.

Often these devices use technologies such as Universal Plug and Play (UPnP) which males setup a breeze, but often allows people to leave the default passwords and settings in place.  This gives cyber-attackers a fresh set of entry points into your networks at home and at the office, from which they can gain access to computers and servers where the valuable information is stored.  The FBI recommends that home owners and business network administrators take the following steps:

  • Always change default user and password credentials for new ones.  Avoid using the same one on all devices; if an attacker breaches one device, they then have access to all of them.
  • Disable UPnP on networking devices such as routers and switches.  UPnP allows devices to identify themselves and connect automatically to a network without user intervention.  Handy, no doubt, but very insecure.
  • Creating separate networks different purposes is another recommendation.  We already do this in some cases when we provide a “Guest WiFi” network that is separate from the main network.  Creating a separate network for IoT devices will isolate them from the computer data network.
  • Evaluate which of these devices truly needs Internet connectivity. For instance, if you do not use print to the web capabilities on network printers, you should disable that feature.
  • Keep IoT devices and firmware updated.
  • Purchase IoT devices from know manufacturers with a good security reputation.

 

More information

0

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.
  Related Posts

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.