Did you hear about the Internet of Things (IoT)? Many people still refer to it like it’s some kind of fictional sci-fi future we’ve yet to inhabit. The truth is it’s already here. Look around you. I guarantee you won’t have to look very far or very hard to find it lurking in your home.
How about that smart TV? Or your home router? Or maybe you use internet-connected baby monitors or home security systems? It’s everywhere, and it has the capacity to change our lives for the better. But it’s also broken, and that’s bad news, because where there are digital assets, there are always cybercriminals ready to exploit them.
Consumers need to familiarise themselves with this ‘new normal’ in the era of the smart home. And they need to get better at securing this space from virtual intruders. That means starting with the cyber front door to your smart home: the router.
It’s here, it’s broken
So the IoT is here, and it comes with connectivity baked in at the silicon layer. It’s that connectivity which is one of the Achilles heels of the Internet of Things, because it ultimately allows remote hackers to get inside your home. If you’re still sceptical, I’d urge you to go and have a look around your house or apartment. Even a relative technophobe will have around at least five IoT gadgets at home. It doesn’t have to be anything as niche as a smart cat litter tray which monitors your pet’s toilet movements. Even an internet-connected music system counts.
The bad news is that there isn’t a single category of smart devices in the modern home that hasn’t been breached or compromised. Not one. Baby cams are a frequent target for hackers, either simply to make mischief or spy on their victims. Most recently a Washington couple were horrified to walk in on their infant son only to find a stranger speaking to him through the device. If we count your connected car as part of your smart home, then Valasek and Miller’s 2015 Black Hat presentation should also worry you. In it, they demonstrate how remote hackers could control the steering and brakes of a Jeep Cherokee 2014.
Yes, the smart home is broken from a security perspective, and don’t expect it to change any time soon. Consumers need to understand that digital is at the heart of our daily lives, whether that’s banking, connecting on social media, sharing personal information with loved ones or, in the case of IoT, even protecting our family. So, digital security has a huge bearing on financial security, privacy and physical security.
The Internet of Things devices in your home will usually connect to the outside world via your router, a bit like a cyber front door. But the difference is that your real front door is designed to keep the bad guys from your local area out – after all, that’s where house robbers usually come from. In the world of the smart home and IoT, the bad guys could come from anywhere in the world and remotely attack your home via that connectivity we spoke about. What’s more, that router is always connected, plugged into the mains so it never runs out of juice, and links up to all your smart devices – an ideal target.
Getting smart about security
Why are smart home devices designed with such scant regard for cyber security? Not because it’s too expensive. That’s a long-standing myth. It’s because security interferes with usability – the cardinal sin if you’re producing consumer-grade technology. It has to work, out-of-the-box, in as few steps as possible. Adding any more processes, even to make the thing more secure, is seen as commercial suicide.
But I think consumers want to be treated as adults. And they want to protect their homes, their data, their privacy, and their families. But at the moment they’re not being given the tools and the know-how to do that. There are actually a lot of things that can be done to make your smart home more secure, simply by tweaking the router settings.
So let’s run through some key recommendations. Remember, the more you achieve, the more secure your devices become … but it will also take more effort.
- The first step is understanding that the router is the virtual gateway into your home. And that you need to know how to manage it if you’re going to improve security.
- Make sure the firmware on your router is regularly updated. Manufacturers may be slow in patching flaws but when they do, it’s usually up to you to implement them. In October last year it emerged that attackers had exploited a Netgear bug to change DNS settings on some devices, allowing them to snoop on users or even redirect them to malicious sites.
- Change the password on the admin console from the default. And make sure you can only do this from the home network (either Wi-Fi or Ethernet cable whilst at the device) – making the portal accessible over the internet only introduces more security risk. In 2014 a Team Cymru report detailed how attackers were able to hack a range of routers, some by using default credentials or else brute-force password-guessing via an admin panel exposed to the internet.
- Take the time to set up the DNS configuration to avoid automatic DHCP address assignment, changing it from the default. This will make it yet harder for hackers to exploit potential vulnerabilities.
- Don’t enable any consumer-oriented services like UPnP which make it easier to share data between devices. They open up silent holes in your firewall which hackers can exploit. In 2013, researchers discovered 6,900 products sold by 1,500 separate vendors that contained at least one UPnP vulnerability.
- Enable MAC filtering. This unique identifier for network interfaces will make it harder for rogue devices to connect to your network. Yes, sophisticated hackers could spoof a MAC address but this is all about making it harder for them – so they hopefully give up and try elsewhere.
- Allow guests only to use the guest network on the router. This will help create “security-by-separation” so that if someone introduces a virus or similar threat it will be contained. Assume all guest devices are compromised – especially Windows laptops and Android phones/tablets.
- Assume not just all guests but all your devices are compromised and put them on the guest network too. The drawback of this is that these devices won’t be able to talk to each other, but when have they really needed to do that anyway? At a push you could put your printer and any devices that need to connect to it (laptop, desktop etc) on the main home network, so that they can still communicate.
- Don’t open any ports on your firewall. The Internet firewall is the primary security feature on your router, filtering traffic coming in and out. It’s like a virtual cat or dog flap, allowing your trusted pets in but not robbers or thieves. Opening ports would be akin to leaving your door wide open. It was reported that an $81 million robbery from the central bank of Bangladesh earlier this year was made possible in part because the bank had no firewall on its network. That should be warning enough of the importance of well-maintained firewalls.
Remember, cybercriminals will usually follow the path of least resistance. So the key is to discourage them by making attacking your smart home not worth the effort. The more of the above steps you put in place the less attractive a target your router will be – it’ll be like putting more locks and reinforcements on your front door.
Cesare Garlati, chief security strategist, prpl Foundation
Image Credit: ESB Professional / Shutterstock