IoT and the impact of security…

I’ve had a number of side conversations about IoT and security recently. On Facebook, Linkedin and via email. The thing that interests me is the concern people have around security. First off because people are convinced that the IoT revolution will increase the security risks. Its true the attack vector will be greater but I suspect the pundits and analysts have created that mythos.

Does the IoT present a security risk in the home? Potentially cyber criminals could connect to your on-line thermostat and move it around 10-15 degrees. Then they send you an email saying if you don’t want it shut off (hottest/coldest days are best for this threat) pay us X amount of currency. The same is true for threatening to shut off smoke alarms etc. But in the end security will catch up with the problem.

If you read the many news feeds and blogs out there by the way you would assume not only is your home hacked but that hackers are currently watching you. Right now, while you are reading this they are ransacking your virtual house. Extreme headlines always sell more newspapers than does the simple reality of be careful.

IoT presents things that are already installed in many cases. If someone wants to in the end hack a personal weather station congrats. Not sure what they get out of that. Sure I check mine to see if I need to wear a heavy jacket. But once I open the garage door I know if I need a heavy jacket and can always go back in and get one. Certainly people can hack your surveillance cameras and see what is going on inside your house. Or hack your computer web cam and see what you are doing. All of that is possible without the IoT revolution. It could happen today.

Part of the security fear today is more the fear of change. Change beyond what people know causes people to be concerned. The Internet of things pushes well beyond what most of us know. It moves into the realm of what would have been considered magic as little as 100 years ago.

So the security of my home is a natural fear. In the 1840’s most homes had guns. Not always to gather arms and fight for justice. Some of the guns were to protect children and families from larger predators (wolves and mountain lions, cougars you get the idea). Protecting your home is a natural desire.

It is an interesting argument. First off in many cases I would say why would a hacker attempt to control your thermostat. It is not like they are trolling the Internet looking for people to scam out of money. In the end the more they do things like that the more exposed they are. A hacker may collect the ability to connect to and control your home but the minute they attempt to extort money from you they are out of the shadows.

The risk you have is that if all your IoT devices have the factory default setting (and most that connect via Bluetooth will have that default password) the more vulnerable you are in the event that a hacker decides to launch an attack.

Simple IoT security rules

  • Never have the default password. Think that one is easy – a recent report talked about the fact that there were electrical generation plants that still had the published default password on core systems.
  • if you don’t need it, unplug it.
  • If you are setting up a sensor network in your house, put it on a separate IP segment of your home network. If you use the default of your router (192.168.1.x) put your sensors on a 10.10.10.x network. Then have a device you can remotely shut off that supports he network address translation (NAT). If the connection to the sensor requires access to the physical network (no remote access) then you have to be physically on the network to attack it. If someone is already in your home you have bigger problems then them hacking your IoT.
  • Scan for malware at least once a month if not more often. When you scan for malware scan for virus as well. Update that malware and virus engine every day. Seems like a lot of effort but staying safe means staying ahead of the easy problems.

My father always said it isn’t about stopping people. It is in the end about keeping honest people honest. Don’t present an easy simple way for them to attack you. Cloud as many vulnerabilities as you can. The weapons of the IoT age can be applied almost anywhere. You no longer need that single firing barrel loaded musket of the 1840’s.

.doc

Scott Andersen

IASA Fellow.