I have been collecting article links about cybersecurity issues affecting the increasing number of non-computer Internet connected devices, commonly known as the Internet of Things or IoT. In our enthusiasm to connect every device we own (thermostats, lighting controls, baby monitors, nanny cams and home security systems, etc.) to a smartphone app, the brilliant creators of these products are in too many cases overlooking security. This week, and possibly next, we will take a look at some of these devices.
The first thing to know is that a smart appliance is a computer, and has on it’s circuit board a processor, and some memory, and some solid state storage, and is running some version of Linux. In reality, these are little servers, in as much as a server differs from a computer in that a server generally is tasked with a single task, while a computer generally does many tasks. Web servers host web sites, and email servers provide email services, and file servers provide a central file repository for secure storage, ease of backup, and efficient access control and file sharing. So a NEST is really more of a temperature control server than a thermostat. A smart TV is an entertainment server. Just semantics, but it is important to put these devices into perspective. These are not your daddy’s appliances. These little toys are powerful in ways that we have not dealt with previously.
All these devices connect to our wired or wireless network, and from there on to the Internet. And most of these devices are horribly insecure out of the box. The few meager security controls that are built in are often unused by the purchaser, who leaves the default username and password used for device configuration unchanged.
Some of these devices have been successfully gathered into botnets, and used for distributed denial of service attacks against other companies, and or to set up a TOR-like chain of proxy servers to mask the source of communications or cyber-attacks. A year ago, Brian Krebs reported on one such botnet running on home routers, but it became known that some of the devices included DVRs and web cams, too.
The lesson for manufacturers is to start building these devices to be more secure. The lesson for the rest of us is to properly set up these devices by changing the default user name and password, and enabling whatever security is available, accepting updates as they are pushed to the device, and turning off remote management capabilities. If you are concerned about forgetting the password, sticking a label on the bottom of the device is more secure than leaving the default in place. If someone can read your label, you have other problems (intruder alert!)