7 Evergreen tips for securing IoT
In his 2016 blog post on Naked Security, Sophos’ Principal Research Scientist at the CEO’s office, Chester Wisniewski said, it is possible to join the IoT craze without having your devices turn against you.
Zoom forward to 2019, and guess what, … the 7 tips remain fairly the same. Not much seems to have changed when it comes to protecting the world of IoT, although for 2019, Chester added the following, “The primary thing I would add is for enterprises. Many modern network tools allow for the detection and categorization of IoT devices connected to the network.
“This can assist in finding those rogue smart TVs, Amazon Echos and other similar devices. ”
He also adds his opinion about industrial IoT saying, “Industrial IoT is a completely different and challenging environment. Asking vendors for details about how and where devices need to communicate and how you can control, manage and isolate these devices needs to be part of the procurement process.
“Also ask vendors if newly acquired technology includes cellular/5G hardware and what privacy or security risks introducing these devices into work environments may bring along with them.”
Here once again, are his evergreen 7 tips to help you stay safe on the IoT:
- Many smart things support Wi-Fi so that you don’t have to plug them into your smartphone or computer every time you want to use them. If your home Wi-Fi router allows you to create separate guest networks to keep untrusted visitors off your regular network, make a special guest network for your “things” and connect them there.
- Many devices, such as video cameras, try to talk to your router to open up inbound holes so they can accept connections from outside. This makes it easier to access them from the internet, but it also exposes your devices to the rest of the world. Turn off Universal Plug and Play (UPnP) on your router, and on your IoT devices if possible, to prevent this exposure. Don’t assume that “no one will notice” when you hook up your device for the first time. There are specialised search engines that go out of their way to locate and index online devices, whether you wanted them to be found or not.
- Keep the firmware up to date on all of your IoT devices – patching is just as important as it is on your PC. It can be time consuming to figure out whether updates are available, but why not make a habit of checking the manufacturer’s website twice a year? Treat it like changing your smoke detector batteries: a small price to pay for safety and security.
- Choose passwords carefully and write them down if needed. Complexity is important, but so is uniqueness. Many IoT devices have been found to have bugs that let attackers trick them into leaking security information, such as giving away your Wi-Fi password. Remember: one device, one password.
- Favor devices that can work without the cloud. IoT “things” that require a cloud service are often less secure, and potentially give way more information, than those you can control entirely from within your home. Read the packaging carefully to determine whether permanent internet access is needed for the device to function. If it’s “all-or-nothing,” then you can’t try out the device on your own network first.
- Only network devices as much as you need to. If all you want from your TV is to watch broadcast television, you don’t need to connect it to the network at all. If you only want to control it or stream to it from your home network, it doesn’t need access to or from the outside. Eliminate unnecessary internet connections when possible.
- Don’t take your IoT devices to work or connect them to your employer’s network without permission from IT. Insecure devices could be used by attackers as a foothold into the organisation, and used to assist with data stealing and illicit surveillance. You could put your company and your job at risk.