Security and Privacy in the Era of IoT

Frank Febbraro, Chief Technology Officer
#Security | Posted

Security issues are unfortunately part of today’s digital reality. It seems like we can’t go more than a few weeks without a news headline about cyber attacks crippling key internet infrastructure or websites. And while IoT devices have given us innovative and seamless ways to engage and interact with the world around us, they’ve also given hackers additional avenues for service disruption.

These attacks can manifest themselves in a multitude of ways. In the latest large-scale attack, common IoT devices like security cameras, DVRs, and other home automation devices were used to generate millions of fake queries, effectively becoming a DDoS (distributed denial of service) attack. This volume-based attack prevented authentic user requests from being resolved, therefore rendering certain sites unreachable. It goes without saying that attacks like this can do serious damage to organizations, preventing commerce, disrupting transportation, and a whole host of other vital operations.

The issue is that all of these connected devices run software, and every time  software is connected to the internet a potential vulnerability is created. The difficulty with IoT devices is that if they are not configured correctly, automatically upgraded, (or at least upgraded in a timely fashion), they become vulnerable and they become another attack vector for device hijacking. Even up to date devices can contain a vulnerability unknown or unaddressed by the device’s vendor. Some vendors also use common security credentials for all of their devices which could create backdoors if these credentials are leaked out.

What are some of the risks inherent in IoT devices?

  • Some of these devices, through their interface, can inadvertently create physical security vulnerabilities. For example, if you hook up your connected lock to an Amazon Echo and you leave it near a window, someone can just walk up to a window and say,“Alexa, unlock the door and gain access to your house.
  • All of these devices run software that is network accessible and potentially vulnerable.
  • There is the question of who is responsible for updating these devices when a vulnerability is discovered.
  • Weak home networking/wifi security can allow access to these devices and allow them to be compromised.
  • There are likely embedded elements in household items you don’t even know about. Appliances like your smart stove or refrigerator or washer and dryer could have embedded controllers that are on an open network.

What are some best practices for brands who are incorporating IOT devices into their marketing?

  • Brands taking advantage of IoT to engage with customers should also be paying attention to the devices they are producing or using and the data they are collecting.
  • Brands should be transparent about the data they are collecting and using. Having a clear policy around data will help maintain trust.
  • Allow users control over how their data is collected and utilized giving them control of their privacy.
  • Personally Identifiable Information (PII) about customers should be limited (or removed or avoided entirely), preferring to work more with aggregated and anonymized information.
  • Any data collected and transmitted should always use encrypted channels for communication.
  • A brand should implement policies and procedures for ensuring customer privacy and effective handling of consumer privacy requests
  • IoT devices should operate on their own isolated network when at all possible.

What can consumers do about this?

  • Never assume a device in your house or business is secure.
  • Make sure your computer is protected against malware to prevent attacks. Use software like antivirus/anti-malware.
  • Configure routers & firewalls to prevent unauthorized access.
  • Upgrade router firmware.
  • Change router default username and passwords.
  • Change the device username and password if it has a remotely accessible interface, or disable the remotely accessible interface when possible.
  • Change default wifi SSIDs.
  • Enable wifi network encryption (WPA2 or other).
  • Configure MAC address filtering.
  • Change all default logins & passwords on every connected device.
  • Have all connected devices on protected networks.

It’s a brave and wonderful world out there, some have even said that IoT is the next industrial revolution and will completely revolutionize the world and how we interact with it. Brands and consumers alike are looking for opportunities to take advantage of this opportunity.

The most important thing you can do is understand that by being on the Internet, having devices on a connected network, and collecting/transmitting data across the Internet you are creating potential vulnerabilities. You have to assume every new device added is an attack vector and protect yourself and your customers, by hopefully following some of the best practices mentioned above.

Frank Febbraro

Frank Febbraro

Chief Technology Officer