Related
Recommended

IoT and raising security awareness among your non-technical friends

phillipgervasi
3 minute read time

For years hospitals have been using IP-enabled carts to track the location of expensive medical equipment. For years manufacturing facilities have deployed large numbers of IP-enabled handheld scanners. And for years utility companies have been converting water meters and electric meters to IP-based platforms.  Most of these devices are part of some corporate network, but today the Internet of Things typically refers to the myriad of IP-enabled personal devices scattered throughout our homes and strapped to our bodies.

These devices are typically inexpensive, disposable, and seemingly innocent. But remember that the home typically isn’t a corporate network with professional security safeguards. Even the best network administrators and information security officers struggle with locking down their corporate networks, so how can the average non-technical person protect themselves, their personal information, and even their very safety in this world of ubiquitous and continual connectivity?

Security is the emerging concern for the Internet of Things, and we as technology professionals need to build an awareness of these issues with our non-technical friends.

The most common issues include:

1)  transmission of unencrypted data over the public internet

2)  access to device management interfaces that have minimal security mechanisms

3)  nothing in place to update and patch software and firmware

Whether it’s a thermostat you control from an app, a baby video-monitor you can stream on your computer, a pacemaker you can monitor from a website, or a residential front door you can unlock with your smartphone, the latest and most popular IoT devices impact us in the very personal ways. These devices have very few, if any, control systems, and they typically use easy-to-use interfaces that aren’t necessarily secure.

Sure, the details vary device by device and manufacturer by manufacturer, but these seem to be the most common themes. I don’t think anyone is overtly against securing their home networks and individual devices, but there isn’t much awareness among the non-technical population of how vulnerable these types of devices truly are.

First, we in the technology industry know right away that opening port 80 inbound to your baby monitor stream is bad news, but that’s how many of these devices have been designed. Manufacturers of IoT devices haven’t put in the time and effort to secure their IP-enabled products to provide security out of the box. IoT devices often receive and send data over the public internet using unencrypted and therefore completely insecure channels.

In a corporate network, data can be easily segregated and encrypted so that devices using HTTP and not HTTPS, for example, are surrounded with security boundaries to protect the rest of the network, and teleworkers typically use an encrypted remote access VPN solution. In home networks, there is normally no overall network security strategy to accommodate for unencrypted traffic containing personal information going to the public internet. For the home network, an easy solution might be to use a trusted VPN proxy service.

Next, many of these devices have minimal authentication mechanisms to control access to a device. Perhaps this is an effort to remove burdensome security controls from the end-user experience, or maybe it’s in order to reduce the cost of the product. In any case, access to common IoT devices is often controlled by a simple password, and sometimes, in worst-case scenarios, there is no authentication at all.

This vulnerability should be top of mind for many of us following technology news considering the recent denial of service attack on DynDNS using millions (perhaps tens of millions) of infected IoT devices from around the world. 

It’s true that increasing password length, changing them frequently, and using two-factor authentication are all added layers of work for an end-user of an IoT device, but this is likely the easiest way to add security to otherwise insecure devices.

Lastly, manufacturers should be providing the means to upgrade software and firmware from time to time in order to combat new security vulnerabilities. Ultimately, I believe this is something consumers have to demand, so we need to influence manufacturers to provide patches with their products along with step-by-step instructions for how to apply them. This is part of any decent corporate security program, and it should now be part of our personal security programs as well.

A huge diversity of IP-enabled devices on a corporate network isn’t anything new, but their proliferation in the home and strapped to our bodies is. As technology professionals, we need to build an awareness of these security issues with our non-technical friends. Some solutions are easy and relatively painless to implement, but I also believe that over time, this growing awareness will also influence manufacturers to change their designs. 

  • Sort of an I.T. version of Angie's List.  I suppose it would cost an arm and a leg, or be under-supported.

    Maybe a Consumers' Reports version instead, for pay?  I don't see people with strong I.T. spending their time on doing security evaluations of IoT gear, at least, not for free or cheap.

    Too bad IoT designers, builders, and sellers aren't a lot more altruistic.

  • I feel like we need some type of consumer watch dog group that highlights these deficiencies and classifies these products (Good, Warning - Use with caution, Bad - completely insecure) or something like that.  The same group could provide basic how-to's that an average person could follow on how to do things correctly.

    Just a thought.

  • The machine is going to run our world and control our every move.  Can't wait to get either locked in or locked out of my house because I didn't secure my IP based door locks. Orwell was right "Big Brother is Watching You"

  • DVR's have a bad history.  If you didn't read this story in one of the earlier polls, I think you'll find it interesting.  If you HAVE already ready, my apologies for wasting your time.

    Rick

    I've a coworker who not only does IT support for his family, he runs an international VoIP network out of his home to enable him to stay in touch with friends and family in Europe and Asia.

    Better still, he's a Security Guru and Network Analyst and SysAdmin, who's  installed a 40-host VM cluster in his basement, along with Splunk and multiple firewalls, routers, & switches.

    He recently purchased a DVR from Alibaba for his multiple home security cameras.  When he set it up on his home network, his IDS/IPS caught it trying to get out to China every few minutes, and his Splunk analyzed it as a threat.  Fortunately his firewall stopped the traffic.  When he had time to analyze it, he set up a rule to temporarily allow it out to the desired potentially-malicious destination, and his IDS captured the .jpgs the DVR was sending to China without his authorization or direction.  Pictures from all his home's internal and external security cameras!  Twenty minutes later his DVR received information from a zombie master in China and began participating in a DDOS against a third destination.

    My friend was disgusted, and resolved to never buy anything from Alibaba again.

    VERY few users have his skill sets, or his home security network, to capture/discover/block this kind of violation of his privacy and integrity.  Given this one case, I suspect this is going on in many home users' equipment without their knowledge

  • Yea, I've done some work, both at home and for a charity I do some work for, with IP based video cameras and they're all over the board on security and the ability to be updated.  I think the worst is the DVR's, which I don't think they even consider you updating it.   Fixing a security hole is rarely the reason for an update from the notes I saw of products that did get updated.

    A former employer was big in the security space too, making the gamut of products from a security server to the cameras and such, and their server was so insecure we wouldn't let it on our own network.  We gave feedback to the software programming department on how bad it was and how we were going about isolating it onto a different segment of our network behind its own firewall, and were basically told to mind our own business and they had it under control!?

Thwack - Symbolize TM, R, and C

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.