These days, we have to give internet connectivity to things we didn’t even know needed to get online. With such rapidly growing networks of “smart” gizmos, it takes a different kind of strategy to keep our data and information safe.
However, security and privacy concerns don’t always make it to the top of the priority list for the companies manufacturing these products.
“It’s absolutely an afterthought, if it’s a thought at all,” says Shaun Murphy, a cybersecurity expert of 20 years and CEO of sndr, a communication application.
With that in mind, the responsibility falls upon consumers to take protection into their own hands—all the while demanding companies take a step up in protecting users’ data and information. According to Murphy, consumers play the most vital role in shaping the future of IoT devices and the security they provide—or, in many cases, don’t.
In order to better understand how to fill that role, Murphy breaks it down for the rest of us.
Stranger danger
https://twitter.com/PrivateShaun/status/713373156845752321
One thing that Murphy makes clear is that, even if you don’t use IoT devices, you will inadvertently engage with them somehow—much like social media.
“You’re always within reach of someone that does use social media,” Murphy says. So even if you don’t keep a profile yourself, it’s possible someone may find your photo online and use it on their own profiles. “Now all of a sudden, you do have a social media profile, you’re just not in control [of it],” he says. “Same thing applies to the Internet of Things.”
You are connecting to the IoT even if you don’t realize it. And if you do have internet-connected devices, just like your photos, your smart thermostat might get kidnapped while hanging out online.
ICYMI: A map of the industrial IoT as presented at @4SICS: https://t.co/982ia6ezpy pic.twitter.com/gZz7YECUUZ
— Shodan (@shodanhq) August 23, 2016
So that’s the reality: We are all part of the IoT. Problem is, this is a problem for all of us.
It’s likely you run your own home Wi-Fi network—that is to say, you probably have a Wi-Fi router or two as your home’s primary internet connection. It’s important to be aware of the devices connecting to it, including those owned by people who legitimately know the network password.
You’re probably only giving your password to family and friends or guests (i.e. not malicious hackers trying to take down your whole system), but you never know what devices are carrying harmful worms. Internet-enabled devices can become compromised at anytime and carry dormant attack vectors that may infiltrate your network to look for a device it can infect. That infiltration may be as simple as logging the Wi-Fi authorization information needed to connect to the network.
“Now you have what we call an internal threat,” Murphy says. Researchers showed the severity of internal threats by hacking the Philips Hue smart lighting system in a presentation at the annual Black Hat cybersecurity conference earlier this month. It’s the equivalent of sneaking behind enemy lines—once you bypass the firewall, you have access to anything and everything that’s unprotected on that network.
To render internal threats ineffective, Murphy has a simple fix for everyone: AP Isolation. “New Wi-Fi access points provide isolation mode where one device connects to the internet, but it’s not really connected to any other devices on your network,” he explains. Basically, when using AP Isolation, devices can’t talk to or see one another within the network. “That really constrains what damage a device can do just to that device,” Murphy says.
AP Isolation can be used with discretion, especially if you need to use device-to-device communication, such as connecting your computer to your wireless printer. One way you can work around this is by setting up a guest network that employs AP Isolation and leave your main network for yourself and your own trusted devices. Even then, however, your devices could be come infected, and you’d have the same problem.
Opening up a whole can of worms
So far, we’ve mainly discussed problems with home Wi-Fi networks—one layer of the IoT security puzzle. But what if you’re interested in installing some smart devices of your own? Things like smart thermostats and security cameras are common consumer choices for diving into the IoT world, Murphy says. Should you be cautious?
The most basic advice Murphy suggests is to consider necessity. “Do you need this device to be hooked up to the internet?” he asks. If you do, then take into account what kind of security you’ll get with the device you choose. In other words, do research, educate yourself, and tweak what you do based on new information.
“[It’s] always a hard thing to tell people, ‘try to change your behavior,'” Murphy says. “Instead of just going in and just buying the product that you want or that looks cool, step back and look at the documentation.” When looking into a product, check to see if the company has published or disclosed information about how the product works and how it guards your data.
Also check out the company’s privacy policy—it’ll give you a pretty quick idea of that company’s security commitment (or lack thereof). “If you look at their privacy policy and it’s like 1,000 pages long, and you can’t understand it, and they use the word ‘indemnify’ everywhere, chances are they have more lawyers than security people,” Murphy advises.
ICYMI: Center for Plain Language Privacy-policy analysis (Google, FB, Apple +) https://t.co/ZKivlae7UM some useful insights/tips
— Privacy Matters (@PrivacyMatters) August 21, 2016
In addition, Murphy says there’s a simpler way to find out how well an IoT device fares in the security realm. “Just do a Google search: ‘name of product,’ and then add ‘security’ to it,” he says. Chances are, if it’s a newer product, there’s research papers or articles published about it. And if there’s a major security glitch, those links would return at the top of the queue.
Consider multiple options as well, and do a product comparison. Look at a product’s website for a dedicated section describing how the product remains secure and protects your information. If such a page doesn’t exist, then it’s highly possible the product isn’t very secure at all, Murphy suggests. “Just as a general rule of thumb, if you can’t find that information, then that device is probably not secure by default,” he says.
Eye in the sky
Lastly, but perhaps most importantly, Murphy urges everyone to question whether their information will be stored on the cloud somehow. Cloud storage is one of the most important considerations, especially in terms of cameras and surveillance devices.
Using a security camera as an example, suppose it stores all the footage on a cloud server. You view the video and control the device through an app, and you can leave it on for all hours of the day. It works great, so it’s good, right?
Not quite, says Murphy.
Let’s deconstruct everything that’s wrong here. The biggest red flag is that your footage is being stored on someone else’s server—that’s all the cloud is—and here’s the catch: It may or may not be encrypted. If it’s not (which seems more likely), that means that anyone who gains access to that server can view your information—including the people who work for that company. “They can be sitting there watching your webcam all day long, and you would have no clue,” Murphy says. How likely that is, we don’t know, but there’s no way to really prove that someone is or isn’t watching you without, say, the footage mysteriously ending up on YouTube, Murphy says. Either way, the opportunity exists.
Sometimes the device has it set up so that you can view your information online or through a personal webpage. “That should be avoided at all costs,” Murphy says. “Because, if you can view it on a webpage, that means anybody else can.”
Also, the communication required for these devices means that the information is being sent through many pathways, touching base at multiple different machines. Unprotected pathways spell trouble. They’re basically vulnerable, and the advent of Shodan exposes those vulnerabilities big time. Shodan is a search engine that taps into unprotected feeds and displays them on its site, where pretty much anyone can search for it.
https://www.youtube.com/watch?v=XB-vjRCwa9E
For these types of things, end-to-end encryption is the selling point, according to Murphy. This means devices that communicate with each other should do so such that the sending device packages the information in a way only the receiving device can open it. Applications like iMessage and Whatsapp are already employing this technology, and it’s something consumers should begin to expect from companies, Murphy says.
Finally, it’s easy to ignore a device like a camera that runs in the background 24/7. Murphy advises users not to forget about them and actively look for software and firmware updates. To illustrate the point, he cites how the Nest Protect, a smart smoke alarm, which had a faulty feature that caused the device to simply stop working back in 2014. “Unless you were actively looking for discussions, you would have never known that,” Murphy says.
The buck stops somewhere else
While all of these precautions can lead to a safer experience using these Internet of Things products, the fact remains that consumers should demand better from companies. “Unless a consumer demands [better security], there’s going to be no reason for a company to spend the time and effort to fix it,” Murphy states.
What better way to get a company’s attention than with money? “The quickest way to make change is by not buying products that are not secure and [from companies that] don’t discuss security, and buying ones that are secure … [from companies that] are actively out there talking about it,” Murphy says. Furthermore, take advantage of the comments and reviews section to voice your concerns about a lack of security documentation or potential security holes. “Companies take notice of that.”
To fix the Internet of Things is no easy task by any means, and it still has miles to go in terms of privacy before we can reasonably trust it. With the current state of things, the risks are significant—just imagine finding a live video feed of your sleeping child available to anyone on the internet. It’ll take the effort of both consumers and companies, but the potential for change exists. Using these tips, keep the discussion alive and actively seek protection from hackers and personal information leaks on the deep, dark net.