In the last ten years or so, securing our local area networks has become more difficult, thanks to ubiquitous high-speed broadband and a proliferation of internet-enabled devices. Some of these are branded ‘smart’ but their widespread adoption could be considered less so. Some, like smartphones, add convenience but most introduce security risks. Whether it’s at home or at work, smart devices vary widely in terms of security. Some devices operate on Bluetooth, others connect to wireless networks and via cable. Whatever the connection protocol, it’s important to ensure that all are monitored as part of a cybersecurity policy or if at home, a common-sense attitude to security.
But, where do you start? How do you identify potential security threats?
In the same way that you protect your home and business, any worthwhile security system will start with access points; all exits and entries are protected first. For networks, initial perimeter defence is controlled by the routers that distribute your broadband connection.
Securing Routers
Most routers offer a combo of LAN ports and a wireless option (with or without antennas). Router configuration is key to enforcing security. I recommend changing all default options. Make sure your default gateway is changed. Ditto, the IP address range for your domain or workgroup. 192.168.1.x will be the first avenue of attack for hackers. Ensure that a complex password and username is in place. ‘Admin’ and other defaults are not acceptable. It’s also important to name your router as leaving the default name will provide clues to hackers sniffing your network. I’d suggest your favourite Klingon entrée or perhaps the name of the dumbest president to ever hold office. Finally, use an encrypted connection (at least WPA2).
Thanks to BYOD (bring your own device), guests at work and at home often request your Wi-Fi password. Many routers offer a ‘guest network’ option that prevents temporary users from accessing shared resources on the network. Enable this function.
If not available, claim ignorance of the password (passwords are assigned by our IT admin only) to prevent unauthorised access to company resources or suggest they upgrade to a higher data plan for their mobile device.
The Internet of Things and Smart Devices
Granted, it’s much easier to add new workstations or devices using wireless. It saves time and there are no trailing cables. Office disruption is also minimised as no building alterations are required. Convenience is the name of the game and portability comes a close second, with tablets, laptops and smartphones in common use.
With the Internet of Things came a recognition that we were running out of IP addresses and IPv6 became necessary to allow for the predicted billions of internet-enabled devices. Everything from fridges to toasters and webcams became smart… or as smart as their manufacturers made them. The key security element for connected devices is to remember one thing – many are not built in a security-first manner.
Hard and Fast Rules for Connected Devices
Before purchasing an IoT device, you should consider all, but not limited to, the following questions:
- Is it REALLY needed? We all love buying gadgets but if there is no efficiency benefit then why even bother? Check out this 2017 list from Gizmodo.
- Is the device secure? The blind assumption that the router will protect all devices connected to it is a dangerous one. I consider an IoT device secure if:
- I can modify the security settings from the defaults. Hardcoded settings are exploited by hackers.
- I can stop unnecessary features.
- The device supports future firmware updates or security patches that are installed locally (via USB or SD card, for example) or remotely.
- The device does not rely on SMBv1, which has known weaknesses. Microsoft has published a list of some affected manufacturers and related products. YOU need to check all connected devices for this vulnerability by reviewing manufacturer websites. Bear in mind that healthcare, medical and industrial products are also vulnerable so this condition does not only apply to consumer products but for every industry.
- How invested is the company in security? In other words, how would you assess their expertise? If a smart coffeemaker is in your future, is it fair to say that the company knows domestic appliances and is totally new to securing smart devices?
- Is the primary function of the device enhanced by being ‘smart’? In the case of a coffeemaker, I’d have to say no but in the case of health-monitoring equipment it’s an emphatic yes. Maybe it’s just me but communicating with or receiving alerts from a coffeemaker or other domestic appliance seems a little pointless. But, health monitoring can detect anomalies and perhaps save lives.
Of course, despite security risks, some devices are worthy of connection. In such cases, why not use a different workgroup or domain? Segregating all IoT devices makes perfect sense and protects the rest of your network from attack.
In conclusion, the use of Wi-Fi and a multitude of connected devices adds convenience. However, awareness of security risks is crucial when selecting devices. Regular auditing of existing devices is necessary as well. In the meantime, perhaps it’s worth policing connected devices to ensure your network is not compromised by smartphones with vulnerable OS versions, cheap imports or wearables. What do you think? How vulnerable are your smart devices and sensors? Have they been hacked before now? Smart locks certainly have.