Tips on how to keep IoT devices secure

There’s been growing concern about the security of Internet of Things (IoT) devices in the last 18 months, as devices like Smart Security Cameras (like the the Canary and Arlo) and Smart Lights (like the Philipps Hue) have increasingly become the target of hackers, hacking into the devices via a number of common vulnerabilities like password security, encryption and lack of granular user access permissions. One of the most famous examples of hacked IoT devices happened in 2016, when hackers accessed 1000’s of IoT to orchestrate a massive bonnet based DoS attack on Dyn – resulting in bringing down major internet services like Amazon and Twitter, and resulting in major damage.

Given the high-levels of IoT market growth, with the market estimated at 50 billion IoT devices by 2020, and the fact that IoT are always connected and therefore always vulnerable, means that addressing the security issues is critical.

To help, we’ve put together a guide of the top ways hackers can access your IoT devices and tips on keeping your IoT devices secure:

• Poor passwords and use of default passwords: one of the biggest IoT security breaches comes from either not changing the default password of your system (which are often set as 1234, or similar). This means that it’s quick and easy for a hacker to access your device, change the password and take control of it. Choosing a secure password, beyond using a simple weak password, is important from further password hacks.  Passwords both apply to the devices themselves and also the software / apps that are used to control them. Both are vulnerable and both need to have secure passwords applied.
• Poor encryption: IoT devices work by talking (i.e. connecting over your properties network) to each other and talking to your router, transferring varying levels of information. Encrypting this information is therefore hugely important, given that much of this information is critical, and could potentially lead a hacker to accessing an individual’s personal information via the the device, cloud or device’s mobile application. Given that the majority of these devices collect information like name, address, date of birth and even credit card details, then you can see why it’s important to keep routes into accessing this data as secure as possible.  Unfortunately most IoT devices have low computing power, meaning that they are unable to support advanced encryption. The fact that most also update via remote management software, also makes them open to remote exploitation by hackers.
• Device, app and cloud: these are the three parts to how your IoT devices work, so being aware of needing to secure each of these, and the fact that each of these parts is equally at risk of being hacked, is important.

What you can do to make sure your IoT devices are secure

1. Avoid default passwords: the primary thing IoT users can do to keep their data and homes safe, is to avoid using default passwords. In particular you should check your router to make sure that you are not using the default router password.
2. Use an advanced secure password: you should then change your password to something secure i.e. a strong password that avoids using common nouns and short strings of numbers, as these types of passwords are guaranteed to be hacked.
3. Update your devices: your mobile phone and computer receive regular security updates; your IoT devices should receive similar security updates on a regular basis.
4. Use encrypted firmware: the more sophisticated hackers can deploy their own versions of firmware, making the spread of viruses nearly impossible to stop. Once malicious firmware has infected your router or computer, it can then spread viruses to other devices via USB sticks and other computers on your network.

Addressing the first two of these points will go along way to keeping your IoT devices safe from hackers, as hackers can be very lazy – so will always go for the low-hanging fruit. The last two are nice to haves, but are often out of the users control (or are more difficult to implement).

For more information on IoT security, one of the best sources to read is an organisation called the Open Web Application Security Project (OWASP), which is a not-for-profit charitable organisation focused on improving security of software. Additionally, the following are some interesting related articles:

• OWASP: https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project
• Wiki entry on IoT Security & Solutions: http://internetofthingswiki.com/iot-security-issues-challenges-and-solutions/937/
• Business Insider article on IoT security issues: http://uk.businessinsider.com/internet-of-things-security-privacy-2016-8
• Academic research around IoT security: http://ieeexplore.ieee.org/abstract/document/6746513/?reload=true

The overall message is that IoT are a good thing and can very much enhance your life, however you need to be aware that if not implemented correctly you could be leaving an open back door into your personal information.