Despite increased consumer interest, new scenarios, and multi-million-dollar investments, Internet of Things is still struggling with one of the worst problems of the hi-tech industry – security. The recent DDoS attack on DynDNS where hackers exploited insecure cameras and DVRs is just an indication of what can potentially go wrong in the world of connected devices.
Multiple factors are contributing to this growing menace. Lack of awareness among consumers followed by the lack of consensus on security standards among the industry players are the key reasons.
Last year, Mattle, the toy company that creates the popular Barbie dolls for kids added speech capabilities to the toy. Dubbed as Hello Barbie, children can interact with this next generation toy by asking a variety of questions to which Barbie would respond through funny answers. The toy comes with an accompanying mobile app that is used to configure WiFi to connect it to the Internet. While this looks like a natural extension of the Barbie franchise into the connected world of IoT, this turned into a delight of hackers. Security researchers found many flaws in the toy that would let hackers easily reuse the authentication credentials to gain access to the home network.
The other infamous experiment in which the security researchers hacked a Jeep Cherokee created ripples in the industry. Of course, Jeep responded to the threat by promptly issuing a patch.
When an average consumer buys a connected device, the user manual guides her through the typical process of connecting and configuring it. There is very little emphasis on protecting and securing the device and the network. Most of the consumers don’t even change the default username, password, and the wireless key of the connected devices.
What’s important to understand is that this device can potentially become the back door to the home network providing access to the PCs, printers, televisions, and refrigerators, and other appliances. Once a hacker gains access to your network, he can remote control each of the connected devices to make them a part of an orchestrated attack. The deceptively simple devices like smart hubs, TVs, and cameras turn into dangerous weapons running malicious code often referred to as Bots. Hackers go on to create a massive network of bots – Botnet – that spans multiple countries and continents to participate in an attack. Mirai, an open source bot was used in creating a botnet that initiated an unprecedented DDoS attack DynDNS.
While it is not practical for consumers to implement the same security processes used by enterprises in their datacenters, they need to apply a few best practices.
- Always change the default username and password of the device. This includes everything from the WiFi router to the smart home hub.
- Take time to replace the default WiFi SSID and password exposed by the device.
- If your WiFi router supports it, create a separate wireless network (aka guest network) with a secure password. Connect your PCs, printers, and NAS to the primary network while moving your IoT appliances to the guest network. This would create an isolation between your primary network and secondary network making it a bit more difficult for hackers to break into your home network.
- Disable SSID broadcast and then implement MAC address filtering on your WiFi network. While this may not be offering bullet-proof security, it just obscures your wireless network adding another step to discovering it.
- Frequently check for firmware upgrades of your connected devices. This will ensure that you have the latest updates that patch known vulnerabilities and security flaws.