5 IoT Security Commandments
Thou shalt not use default logins — and four more security fundamentals.
July 20, 2018
By Robert Gibbons
Our appetite for the internet of things knows no boundaries: From the pace counters we wear on our wrists to the smartphone apps that lock our front doors to the sensors we install in our universities and hospitals that let us monitor energy usage, more and more corners of everyday life are revolutionized by connected devices. In 2017, according to Gartner, 8.4 billion such connected devices were in use; by 2020, that number is expected to jump past the 20-billion mark.
With big data comes big responsibility. As we plug in more and more devices, for ourselves and our customers, we must make sure that we take the utmost care in keeping data secure; otherwise, we might end up like that casino that recently fell victim to a cyberattack after someone hacked the thermometer on its fish tank and used it as a portal to enter the system maliciously.
So what are those among us who aren’t cybersecurity experts to do with all the new connected devices we keep buying, selling and plugging in? Here are the five commandments of keeping your gadgets secure and your data safe:
Timing is everything: This is especially true when it comes to updating firmware. Some manufacturers offer repeated updates, which indicates that they’re actively looking out for bugs in the system and fixing them to make sure you’re protected against the most current threats. Others, sadly, just want you to buy their gizmo. They care very little what happens to you, your customers or your data once you’ve shelled out your dollars. So before you buy anything you’re going to plug in – like a digital camera, say – go online, check the manufacturer’s release notes, and see how often they’re patching the firmware. You might be tempted to buy a cheap device that’s getting good reviews, but if its makers haven’t updated their firmware in more than two years, you’re basically inviting a Trojan horse into your home or customer site.
Make it automatic: Most devices, you’ll find, enable you to turn on auto updates. Do it! That way, rather than having to check periodically for the latest patch, you’ll be sure to catch up immediately.
Just say no to remote control: Some devices feature what’s fondly known as a RAT, or remote administration tool. In theory, it’s a helpful feature that allows users or an MSP access even if they don’t happen to be physically near the device they’re trying to control. In reality, it can very likely be used to allow hackers a way in. So as you’re setting up your device, log in to the administration panel and disable remote administration. If you’re deploying devices at far-flung or difficult-to-access sites and need that remote admin capability, check with the manufacturer or a security specialist to do it safely.
Keep them guessing: Never keep a default login/user name or password. Change them, on every device, and keep on changing your username and your password as often as you can. It sounds like an obvious piece of advice, but you’d be surprised how many of us stick with the same old passwords, making it that much easier for attackers to have their way. I realize coming up with new passwords is annoying, but trust me, losing all your data or worse is a much bigger hassle.
Welcome guests: Guest networks, that is. It’s a simple but powerful trick: Set up your Wi-Fi with a protected network you use for your laptop, say, and a guest network you use for everything else. It sounds complicated, but a beer and 10 minutes of Googling should do the trick. Then, if you have an IoT device that doesn’t need to communicate with any other device – like, say, your camera, or your Fitbit – put it on the guest network, and set up your guest network to isolate devices from one another. That way, you’ll minimize the risk of hackers being able to access all your data even if they figure out a way to compromise a single device. For MSPs, this sort of segmentation is a big selling point of a managed WLAN practice.
So next time you get a fancy new internet-enabled thingie, don’t just rush to unbox it and plug it in. A few minutes and a few steps could save you a lot of time and pain.
Robert Gibbons is Datto Inc.’s chief technology officer.
You May Also Like