Securing the Internet of Things

The Internet of Things (IoT) refers to the far-reaching, interconnected networks of internet-accessible devices (things) equipped with software and firmware to collect, store, and transmit data to other IoT devices or other internet-connected devices. IoT devices at home are often used for convenience or entertainment purposes and can include smart TVs, wireless speakers, smartwatches, or internet-connected appliances such as thermostats or refrigerators. IoT devices, such as sensors, are also used in industrial settings to quickly transmit data between physically separate control systems and industrial machines. These devices' ubiquitous nature also brings an element of risk because each device may be used as a potential attack vector or pivot point into a network. IoT devices have enlarged the potential attack surface area, so consumers should take the appropriate steps to secure and further harden their networks and IoT devices.

History

While IoT as a concept began about 20 years ago, machines have communicated with each other since the early 1800s. The path to IoT began with basic forms of long-distance communication. In 1832, Baron Shillings in Russia invented the first electromagnetic telegraph.

By 2013, IoT had evolved into a system that simultaneously uses multiple technologies, such as internet-to-wireless communication, and from micro-electromechanical systems to embedded systems. Automation, wireless sensor networks, and GPS technology is used to support the IoT.

Common IoT Threats

No standard manufacturing requirements currently exist for developers of IoT devices. IoT devices may pose various threats to your home or work network, the devices on those networks, or your personal data.

• IoT devices may be conscripted into a botnet with other devices and used to carry out attacks
• IoT devices with cameras or microphones can be hijacked and used to spy on users
• Privacy concerns arise when excessive data is shared/collected from device manufacturers
• Potential man-in-the-middle attacks between IoT or other smart devices

General Recommendations for Organizations

• Take inventory: Know which assets are IoT devices and what type of information is being shared
• Maintain baseline configurations
• Periodically scan for vulnerabilities
• Continuously monitor your devices and traffic

Methods to Secure Your IoT Devices

Cybercriminals can take advantage of poorly configured IoT devices to steal sensitive data without the user being aware. Listed below are some effective ways a home user can secure their IoT devices and prevent their devices from being exploited by attackers.

1. Increase security awareness among users to reduce the risk of becoming victim to social engineering attacks
2. Purchase IoT devices from reputable manufacturers with secure development practices to reduce the risk of purchasing counterfeit devices with backdoors or malware inserted in the manufacturing process
3. Determine which devices have default accounts enabled and change all manufacturer default passwords and user IDs
4. Monitor network traffic and connected devices on the network to determine abnormal and normal behavior and anomalies
5. Create an asset inventory of your IoT devices and monitor network connections to detect rogue devices
6. Register with the manufacturer customer support of the IoT device to receive notifications of firmware and software updates
7. Secure wireless home-networking equipment and segment or use a secondary network for only IoT devices
8. Read and store for future reference the instructions provided by the manufacturer and the help desk contact information
9. Disable Universal Plug-and-Play protocol on network devices to prevent devices infected with malware from redirecting network traffic to remote IP addresses on the internet
10. Use Virtual Private Networks (VPNs) and secure login credentials to reduce the risk of poorly configured IoT devices broadcasting home IP addresses that allow attackers to search public databases to locate the physical address

Learn more about developing an effective cyber strategy.

This article is co-authored by Grant Hsu and Timothy Mayers Jr.