I have been collecting article links about cybersecurity issues affecting the increasing number of non-computer Internet connected devices, commonly known as the Internet of Things or IoT. In our enthusiasm to connect every device we own (thermostats, lighting controls, baby monitors, nanny cams and home security systems, etc.) to a smartphone app, the brilliant creators of these products are in too many cases overlooking security. This week, and possibly next, we will take a look at some of these devices.
The first thing to know is that a smart appliance is a computer, and has on it’s circuit board a processor, and some memory, and some solid state storage, and is running some version of Linux. In reality, these are little servers, in as much as a server differs from a computer in that a server generally is tasked with a single task, while a computer generally does many tasks. Web servers host web sites, and email servers provide email services, and file servers provide a central file repository for secure storage, ease of backup, and efficient access control and file sharing. So a NEST is really more of a temperature control server than a thermostat. A smart TV is an entertainment server. Just semantics, but it is important to put these devices into perspective. These are not your daddy’s appliances. These little toys are powerful in ways that we have not dealt with previously.
All these devices connect to our wired or wireless network, and from there on to the Internet. And most of these devices are horribly insecure out of the box. The few meager security controls that are built in are often unused by the purchaser, who leaves the default username and password used for device configuration unchanged.
Some of these devices have been successfully gathered into botnets, and used for distributed denial of service attacks against other companies, and or to set up a TOR-like chain of proxy servers to mask the source of communications or cyber-attacks. A year ago, Brian Krebs reported on one such botnet running on home routers, but it became known that some of the devices included DVRs and web cams, too.
The lesson for manufacturers is to start building these devices to be more secure. The lesson for the rest of us is to properly set up these devices by changing the default user name and password, and enabling whatever security is available, accepting updates as they are pushed to the device, and turning off remote management capabilities. If you are concerned about forgetting the password, sticking a label on the bottom of the device is more secure than leaving the default in place. If someone can read your label, you have other problems (intruder alert!)
More information:
Share
APR
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com