What exactly are IoT devices? IoT stands for “Internet of Things”. They are also known as smart devices. Now, let me ask what comes to mind when you hear the term “IoT device”? I would bet a lot of the answers are going to be the Amazon Echo, or the Google Home, am I correct? Now, there are a lot more than just those two. The list includes smart refrigerators, smart watches, smart fire alarms, smart door locks, smart bicycles, medical sensors, fitness trackers, smart security systems, and the list goes on (18 Most Popular IoT Devices in 2022 (Only Noteworthy IoT Products, 2022).
While IoT devices are great in that they make our lives a little bit easier, they do have one serious flaw. IoT devices are configured for ease of setup / use, not security or privacy. To prove my point, I looked for a story regarding baby monitors being hacked. Yes, certain models of baby monitors are IoT devices.
I do not know if you all remember but there were stories every couple of months a few years ago, but we do not hear much about it now.
So, the story I found is from 2018 about a mom in South Carolina initially noticed unusual activity on her baby monitor. One morning she wakes up and sees that that the monitor is directly facing her. While she thought this was weird, she dismissed it thinking her husband was known to move the monitor through the application on his smart phone so he could check on her while at work. Seems logical to me, as I have something similar, but not a baby monitor, that I can use to check on my wife while I am gone. However, the second incident has no logical explanation to it. It happened while both the husband and wife were having dinner together. The wife got an alert on her phone that the camera was moving, but they were both at home in the same room and neither one had opened the app and moved the camera. What the wife did next was the best thing she could do, and that was to not only disconnect the baby monitor, but also call law enforcement.
When an officer arrives the wife describes what happened and said she suspected the baby monitor had been hacked. So, the officer decided to do a little investigating and wanted to test that theory. The officer had her reconnect everything and that is when she discovered she had been locked out of her own account (Domonoske, 2018). Pretty scary stuff.
Now at this point some people may be thinking how this happened. Remember what I said earlier. IoT devices are configured for ease of setup / use, not security or privacy. Also keep in mind that these devices could have vulnerabilities that are not seen on computers. I am talking about vulnerabilities that could allow a device to reset back to default settings (to include login credentials). I mention that because in the story when the monitor was setup the password was changed to something unique to the device and was not used anywhere else (Domonoske, 2018).
After reading this story, I am willing to bet that some of you are wondering if it is even possible to secure IoT devices and my answer to that is yes, they can be secured. In fact, there are six that can be taken to secure IoT devices. One disclaimer. I know the site says seven tips and I am listing 6. I did that because I combined changing the Login ID and password to a single item.
1. Start with configuring the router correctly.
a. Do not use default credentials. Change both the login ID and password.
b. Use highest level of encryption possible. You are looking for WPA2 or WPA3. Anything less than that (WEP or WPA), you need a newer model.
2. Put IoT devices on their own network separate from everything else.
a. Basically, create a guest network for IoT devices. By doing this, you will prevent criminals from accessing the main network if an IoT device is hacked.
3. Another option is to turn off features you are not going to use.
4. Update the devices firmware. Keep in mind that this typically does not occur automatically. So, it may have to be completed manually. That means setting a calendar reminder once a quarter or so and following the directions to update, that should be included with the documentation for that device.
5. Implement MFA if available. Now, I know that this option is a little counterintuitive as it takes the ease of use out of the device, but it will add to the security.
6. Use a secondary Next Generation Fire Wall (NGFW). This is an option because while most routers that were built within the last few years probably have a fire wall, they may not offer the protection you want. In that case purchasing an NGFW and using it in conjunction with the router would do the trick (Goodreau, n.d.).
So, the bottom line here is that we as individual end users of these products are responsible for our security. We cannot rely on the product manufacturers to be security minded. As I have said a couple times in this blog, manufacturers want people to have a product that is easy to setup/use. This is what makes them money. If a product is not easy to setup/use, people are not going to buy it and the company is not going to make money, which is what matters to them.
18 Most Popular IoT Devices in 2022 (Only Noteworthy IoT Products. (2022, September 24). Retrieved from Software Testing Help: https://www.softwaretestinghelp.com/iot-devices/#:~:text=Smart%20Mobiles%2C%20smart%20refrigerators%2C%20smartwatches,few%20examples%20of%20IoT%20products
Domonoske, C. (2018, June 5). S.C. Mom Says Baby Monitor was Hacked; Experts Say Many Devices are Vulnerable. Retrieved from NPR: https://www.npr.org/sections/thetwo-way/2018/06/05/617196788/s-c-mom-says-baby-monitor-was-hacked-experts-say-many-devices-are-vulnerable
Goodreau, T. (n.d.). 7 Actionable Tips to Secure Your Smart Home and IoT Devices. Retrieved from IEEE Computer Society: https://www.computer.org/publications/tech-news/trends/7-actionable-tips-to-secure-your-smart-home-and-iot-devices