With every day that goes by more IoT (Internet of Things) devices are becoming a part of our normal everyday life both at home and on the job. In recent years it has become evident that IoT devices pose a security risk for any network. While IoT manufacturers are working diligently to make things more convenient for us, privacy and security have been overlooked. Leaving these devices unsecured is like leaving your door closed but unlocked. It might look secure, but it is actually easy to open.
Gartner research estimates that there will be over 20 billion connected IoT devices by the year 2020 (roughly 20.4 billion). While having great new wearables that monitor our health and smart homes and smart printers can make life very convenient, these are still network connected devices that require security measures like any other connected item. Here are a few tips to securing IoT devices.
- Separate networks – Many Wi Fi routers, whether for the home or the enterprise support guest networking so that guests and contractors can connect without gaining access to important assets or managed connected devices. This segmentation helps with IoT devices that have questionable security at best.
- Passwords – be sure to change the password for the device itself as well as for the online access provided by the manufacturer and make it a strong one. Additionally, be sure to update the password every quarter and to have a separate password for each device so as to make it extra difficult for hackers to guess your passwords.
- Turning off Universal Plug and Play (UPnP) – UPnP makes IoT devices vulnerable to hackers. While it is designed as a convenience to connect devices automatically to the network, it makes it possible for hackers to connect to them from beyond the local network because of vulnerabilities in the UPnP protocol, and clearly it is advisable to turn UPnP off from the first day.
- Latest patches and updates – If you would like to reduce the chances for security breaches it is crucial to have the latest patches and updates to your firmware. It is recommended to automate updates or have a standard operating procedure for team members to update firmware every quarter. In this way vulnerabilities and exploits will be fixed as they emerge.
- Separate business and personal devices as much as possible – There are security challenges with wearables and the enterprise should have a spelled out BYOD policy that prohibits the use of IoT devices from the company network, or that segments them to a guest/contractor network.
- Visibility and continuous posture assessment – this is more relevant for businesses as they need to be able to see all devices that are connected to the network, and to monitor all traffic. Once there is a security posture assessment available, the level of access given to each device can be determined by company policies as well as making sure that all devices have the latest security patches, firewalls and anti-virus updates, etc. This allows for end-to-end protection and unknown devices should create an alert for security managers.
Before purchasing any IoT device, have a long hard look and the type of data on your network coupled with any privacy concerns. Check which security protocols are implemented on the device as well as how approachable the device is to patching and updates, and if the manufacturers implemented a good privacy policy. Most of all, never assume that your IoT devices are secure, because chances are great that they are absolutely not!
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.