Author: Lee Seidman
October 2022
Using the latest encryption protocol WPA3TM (Wi-Fi Protected Access 3) or relying on the older WPA2 Personal is the standard to try to restrict unauthorized connectivity to one’s network (neither is perfectly secure, but they are better than predecessors WPA and WEP [Wireless Equivalent Privacy]). However, these measures are intended for access control to a network; they are not engineered to protect against compromised devices that already have connectivity. IoT (Internet of Things, or simply devices that can be put directly online) devices such as refrigerators, thermostats, baby monitors, cars, camera systems, Internet-linked billboards, wearable devices, televisions, and SmartHubs (for example, Amazon Alexa or Google Home) have become mainstays in homes and businesses, but are not necessarily designed with strong security safeguards (most IoT device manufacturers do not release firmware updates frequently to address security vulnerabilities in their products).
Although equipment like these can be helpful for their respective intended purposes, they could also be leveraged for nefarious activities. In 2018, a hacker infiltrated a family’s baby monitor and verbally threatened the parents with the intention to kidnap their baby (Fieldstadt, 2018). Researchers sounded the alarm in 2020 about flaws in the ThroughTek Kalay IoT cloud platform used by tens of millions of IoT devices ranging from web cameras to baby monitors that could allow attackers to take control and capture video streams (Vaas, 2021).
As manufacturers put more IoT devices to market, it is no surprise to see Kaspersky report more than 1.5 billion IoT attacks in the first half of 2021 alone, more than twice the amount that was detected during the previous half year (Seals, 2021). Part of the problem is that most consumer IoT vendors do not have a vulnerability disclosure program (VDP) in place and are horrendously slow to introduce one (Bannister, 2021). Add the significant increase in professionals accessing business data while working remotely, it is not surprising that “cybercriminals are targeting corporate resources via home networks and in-home smart devices…they know organizations haven’t quite gotten used to the new perimeter – or lack thereof,” (Seals, 2021).
With the capabilities of IoT devices rising among consumers, cybercriminal interest in the vulnerabilities and attack vectors of these technologies exponentially grows. If people wish to leverage the advantages of using these devices online, one of the best ways to protect data that is more sensitive than whether the refrigerator detects the household is out of milk is to ensure all IoT devices use a separate wireless network than computers. Most of the routers and wireless systems available offer the capability to broadcast multiple SSIDs (Service Set IDentifiers, or wireless networks) that do not interact with one another. Most guest wireless configurations do not allow access to the normal LAN (Local Area Network) or even the ability to administer the router; they typically only allow access to the Internet. It is on this type of network where SmartHubs, Smart TVs, coffee makers, etc. would best connect online while desktops, laptops, printers, NAS (Network Attached Storage) and tablets should share a non-guest SSID. Manufacturers of computers, operating systems, data storage devices, and printers tend to release security and firmware updates more frequently than IoT companies, so this offers a way to isolate the less trusted devices.
Of course, expected preventive measures for the compromise of IoT devices includes these standard actions:
- Change any default passwords to something unique and “strong” (lengthy combination of lower/uppercase letters, special characters, numbers)
- Check with manufacturers periodically to see if any new firmware has been released (provided the device does not automatically check)
- If the device begins to “behave strangely,” unplug then factory reset it
- If there is a software/cloud console to the device, ensure MFA (MultiFactor Authentication) is enabled (if available; try to only consider products that employ this security feature)
- Determine whether the technology needs to be online for its intended use (does anyone really require a toaster to be online?)
References:
Bannister, A. (2021, November 4). Majority of consumer IoT vendors still lack vulnerability disclosure programs – report. The Daily Swig. https://portswigger.net/daily-swig/majority-of-consumer-iot-vendors-still-lack-vulnerability-disclosure-programs-report
Fieldstadt, E. (2018, December 18). Nest camera hacker threatens to kidnap baby, spooks parents. NBC News. https://www.nbcnews.com/news/us-news/nest-camera-hacker-threatens-kidnap-baby-spooks-parents-n949251
Seals, T. (2021, September 6), IoT attacks skyrocket, doubling in 6 months. Threatpost. https://threatpost.com/iot-attacks-doubling/169224/
TrendMicro. (2021, September 28). IoT and ransomware: a recipe for disruption. https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/iot-and-ransomware-a-recipe-for-disruption
Vaas, L. (2021, August 17). Bug in millions of flawed IoT devices lets attackers eavesdrop. Threatpost. https://threatpost.com/bug-iot-millions-devices-attackers-eavesdrop/168729/