cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

IoT and raising security awareness among your non-technical friends

Level 10

For years hospitals have been using IP-enabled carts to track the location of expensive medical equipment. For years manufacturing facilities have deployed large numbers of IP-enabled handheld scanners. And for years utility companies have been converting water meters and electric meters to IP-based platforms.  Most of these devices are part of some corporate network, but today the Internet of Things typically refers to the myriad of IP-enabled personal devices scattered throughout our homes and strapped to our bodies.

These devices are typically inexpensive, disposable, and seemingly innocent. But remember that the home typically isn’t a corporate network with professional security safeguards. Even the best network administrators and information security officers struggle with locking down their corporate networks, so how can the average non-technical person protect themselves, their personal information, and even their very safety in this world of ubiquitous and continual connectivity?

Security is the emerging concern for the Internet of Things, and we as technology professionals need to build an awareness of these issues with our non-technical friends.

The most common issues include:

1)  transmission of unencrypted data over the public internet

2)  access to device management interfaces that have minimal security mechanisms

3)  nothing in place to update and patch software and firmware

Whether it’s a thermostat you control from an app, a baby video-monitor you can stream on your computer, a pacemaker you can monitor from a website, or a residential front door you can unlock with your smartphone, the latest and most popular IoT devices impact us in the very personal ways. These devices have very few, if any, control systems, and they typically use easy-to-use interfaces that aren’t necessarily secure.

Sure, the details vary device by device and manufacturer by manufacturer, but these seem to be the most common themes. I don’t think anyone is overtly against securing their home networks and individual devices, but there isn’t much awareness among the non-technical population of how vulnerable these types of devices truly are.

First, we in the technology industry know right away that opening port 80 inbound to your baby monitor stream is bad news, but that’s how many of these devices have been designed. Manufacturers of IoT devices haven’t put in the time and effort to secure their IP-enabled products to provide security out of the box. IoT devices often receive and send data over the public internet using unencrypted and therefore completely insecure channels.

In a corporate network, data can be easily segregated and encrypted so that devices using HTTP and not HTTPS, for example, are surrounded with security boundaries to protect the rest of the network, and teleworkers typically use an encrypted remote access VPN solution. In home networks, there is normally no overall network security strategy to accommodate for unencrypted traffic containing personal information going to the public internet. For the home network, an easy solution might be to use a trusted VPN proxy service.

Next, many of these devices have minimal authentication mechanisms to control access to a device. Perhaps this is an effort to remove burdensome security controls from the end-user experience, or maybe it’s in order to reduce the cost of the product. In any case, access to common IoT devices is often controlled by a simple password, and sometimes, in worst-case scenarios, there is no authentication at all.

This vulnerability should be top of mind for many of us following technology news considering the recent denial of service attack on DynDNS using millions (perhaps tens of millions) of infected IoT devices from around the world. 

It’s true that increasing password length, changing them frequently, and using two-factor authentication are all added layers of work for an end-user of an IoT device, but this is likely the easiest way to add security to otherwise insecure devices.

Lastly, manufacturers should be providing the means to upgrade software and firmware from time to time in order to combat new security vulnerabilities. Ultimately, I believe this is something consumers have to demand, so we need to influence manufacturers to provide patches with their products along with step-by-step instructions for how to apply them. This is part of any decent corporate security program, and it should now be part of our personal security programs as well.

A huge diversity of IP-enabled devices on a corporate network isn’t anything new, but their proliferation in the home and strapped to our bodies is. As technology professionals, we need to build an awareness of these security issues with our non-technical friends. Some solutions are easy and relatively painless to implement, but I also believe that over time, this growing awareness will also influence manufacturers to change their designs. 

23 Comments
MVP
MVP

Pretty much sums things up.  The biggest point is that these consumer devices are set up for the lowest common denominator to set up and use, essentially plug and play as much as possible.  Most consumers don't have the first clue on securing the tech nor do they want to set up anything other than point and click. Anything else is too much effort, then they blame the manufacturer for their lack of urgency in making things secure. 

Level 10

Yes - you said it well - most of these devices are set up for the lowest common denominator. I'd like to see manufacturers do more to secure their devices out of the box and then advertise that as one of their differentiators. Of course the issue will be doing so in such a way as to make it easy and seamless for the end-user.

MVP
MVP

with the large number of possible environments the device could end up in...makes it harder to plan for many things.

This should be required reading for anyone using the Internet.  Or at least for IT departments and business administrators and Security folks.

Thanks for providing it again.  Next, update it with links to resources we can share with less tech-savvy folks, which can help them understand how to be safe while being connected.  That's going the full-service route.

It takes too long for people to learn to not only report an issue, but to make a helpful suggestion to resolve it.  That advice empowers people to more quickly make problems go away.

Level 10

Actually that's a great idea and I wish I thought of that! Maybe I will do a follow up

Level 14

Agreed.  Most people ensure they have door locks and deadbolts.  Maybe even a security system.  However, it never enters their mind to secure their many "Smart" devices.

Level 20

The not patching part or even having a decent interface to patch is a real problem... I think we'll see this change hopefully more in the future.

MVP
MVP

interesting...many of the so called "smart devices" are pretty much just as dumb as their predecessors, they just provide more opportunities for their owner to diminish the level of security in the name of being connected.

I know folks working at the proving ground for this study:

It’s Insanely Easy to Hack Hospital Equipment | WIRED

Level 14

Right.  Just because it can be done is not justification for doing it. 

MVP
MVP

agreed but there are those that think otherwise.

Level 13

I've been able to convince some of my friends and family, but others are like - so what, as long as mine works...

MVP
MVP

They will think otherwise after they get hacked....or worse.

Just think of the financial issues when someone plays with their heating or A/C when they are not home running the bills up

or jacking with when they are asleep.  Then there is the connected lock that is "unlocked" allowing others to gain entrance and ransack or worse.

Ugh...

Level 13

at least I've convinced them to read the manual and change the default passwords...

MVP
MVP

That is a good start.  It at least prevents the most basic attacks seen today.

Level 13

yeah, but what if your smart device is actually controlling your deadbolt?  How about a double hack to rob your house??

MVP
MVP

or worse, lock you in....

Bypass the issue entirely and just say "no" to IoT completely.  Fads and beautiful advertising don't matter when it comes to your personal and financial security.

Frankly, there should've been processes in place to prevent the design and construction of IoT devices.  That way there'd be none to sell.

MVP
MVP

Yea, I've done some work, both at home and for a charity I do some work for, with IP based video cameras and they're all over the board on security and the ability to be updated.  I think the worst is the DVR's, which I don't think they even consider you updating it.   Fixing a security hole is rarely the reason for an update from the notes I saw of products that did get updated.

A former employer was big in the security space too, making the gamut of products from a security server to the cameras and such, and their server was so insecure we wouldn't let it on our own network.  We gave feedback to the software programming department on how bad it was and how we were going about isolating it onto a different segment of our network behind its own firewall, and were basically told to mind our own business and they had it under control!?

DVR's have a bad history.  If you didn't read this story in one of the earlier polls, I think you'll find it interesting.  If you HAVE already ready, my apologies for wasting your time.

Rick

I've a coworker who not only does IT support for his family, he runs an international VoIP network out of his home to enable him to stay in touch with friends and family in Europe and Asia.

Better still, he's a Security Guru and Network Analyst and SysAdmin, who's  installed a 40-host VM cluster in his basement, along with Splunk and multiple firewalls, routers, & switches.

He recently purchased a DVR from Alibaba for his multiple home security cameras.  When he set it up on his home network, his IDS/IPS caught it trying to get out to China every few minutes, and his Splunk analyzed it as a threat.  Fortunately his firewall stopped the traffic.  When he had time to analyze it, he set up a rule to temporarily allow it out to the desired potentially-malicious destination, and his IDS captured the .jpgs the DVR was sending to China without his authorization or direction.  Pictures from all his home's internal and external security cameras!  Twenty minutes later his DVR received information from a zombie master in China and began participating in a DDOS against a third destination.

My friend was disgusted, and resolved to never buy anything from Alibaba again.

VERY few users have his skill sets, or his home security network, to capture/discover/block this kind of violation of his privacy and integrity.  Given this one case, I suspect this is going on in many home users' equipment without their knowledge

Level 13

The machine is going to run our world and control our every move.  Can't wait to get either locked in or locked out of my house because I didn't secure my IP based door locks. Orwell was right "Big Brother is Watching You"

Level 21

I feel like we need some type of consumer watch dog group that highlights these deficiencies and classifies these products (Good, Warning - Use with caution, Bad - completely insecure) or something like that.  The same group could provide basic how-to's that an average person could follow on how to do things correctly.

Just a thought.

Sort of an I.T. version of Angie's List.  I suppose it would cost an arm and a leg, or be under-supported.

Maybe a Consumers' Reports version instead, for pay?  I don't see people with strong I.T. spending their time on doing security evaluations of IoT gear, at least, not for free or cheap.

Too bad IoT designers, builders, and sellers aren't a lot more altruistic.