Securing Your Digital Transformation: IoT

IoT: The Internet of Things. The name sounds like a buzzword - something you probably wouldn't think is a part of your life. But I bet if you looked around your home, you've actually got loads of IoT devices - you just don't realise it. An Amazon Firestick, smart watch, smart doorbell, wireless printers, and security cameras all qualify as IoT.

You see, the Internet of Things is exactly what it says on the tin: things that are connected to the internet. As next-gen technology is a high priority for cutting edge organisations, is there a chance we could be acting too hastily when installing new tech and forgetting about the security angle? 

IoT and Security

Not long ago, the Internet of Things sounded like it was decades away; the connected home sounded like something from Back to the Future, but thanks to exponential tech growth, widespread internet connection, and a little boost from AI, the future is here, Marty! And boy do these devices (Mc)fly off the shelves.

From smart fridges to smart TVs, heating systems to doorbells, watches to security cameras, it's all connected to the internet nowadays. But don’t get too comfortable – each of these devices can pose a security risk.

If you're sat there thinking "who wants to hack my house?", you're in the same boat I was a while back, until I started seeing stories like this one where a hacker hijacked a US family's Nest system and started playing music described as ‘vulgar' (at least it wasn't Justin Bieber), as well as talking to the family through their smart TV and switching up their thermostat. This is an attack vector that's just opening up, and with IoT becoming the tech du jour, it's only likely to expand.

Having organised a roundtable for the FSI industry recently, where we plan to be discussing IoT amongst other subjects, I've encountered some reluctance because IoT “isn't really in [their] roadmap” and their organisation isn't using it. How wrong these organisations are! Which company now doesn't use VoIP? Wireless printers, anyone? And hands up, Apple Watch users!

You see, this is where the intrinsic problem lies. Organisations aren't even aware of the tech that they're not securing because they don't even realise it needs to be secured. So, how do we fix it?

Getting Back to Basics

Using futuristic technology doesn't necessarily mean adopting futuristic security measures; when it comes to IoT, we actually need to go back to basics. After all, at the heart of it, all we're protecting is a device that's connected to a network, so we simply need to secure the device and the network – easy-peasy. Now, there are a few nuances, but when it comes down to brass tacks, that's the problem we're faced with.

First off, let's go back to security 101. If you've ever worked in IT or security, you’ll know that the number one rule (apart from enabling MFA) is patch, patch, and patch some more. Patches are released not only to enable sexy new functionality, but also because the technology provider has found holes in the security model and there's the potential for that hole to be exploited by hackers. If the vendor brings out an update for firmware/software on an IoT device, you better have a really good reason for not applying it, otherwise you're leaving yourself with a vulnerability gap that a cyber-criminal will be more than happy to take advantage of.

 Rule number one: patch! 

Separate Your Networks

IoT devices aren't inherently secure, so next, let's think about securing the network. In a recent blog post from Zscaler they explain how they assessed device vulnerabilities following a recent DDOS attack that leveraged IoT devices. As an example, VoIP handsets were authenticating via HTTP protocols, meaning they were vulnerable to interception. Connecting to a network with a secure firewall mitigates some of the risk, but there's always the possibility of interception while the data is in transit. And what happens if the network it's connecting to isn't secured properly? Well, that data is left wide open.

People intercepting phone calls might not seem like such a big deal, but when we look at the recent case where deepfake AI was used to recreate a CEO's voice that picked up from intercepted voice recordings, and then used for financial fraud to the tune of $243,000, we can start to understand the risks.

When we're playing with potentially unsecured devices, it’s better to separate our network out and direct traffic from IoT through a separate router, rather than the one used for our main corporate network. Hackers like to move laterally: they'll hack one device and move through the network wherever they can to get to their golden ticket (admin credentials, data, etc.). If we separate out the network, hackers may be able to access other IoT devices but won't get the keys to the castle.

While this works for corporate environments, in a consumer one, it's recommended to not connect devices that you don't need to. Just because your smart TV can connect to the internet, doesn't mean it has to. Only use it if you need to.

Rule number two: separate your networks.

Next UPnP

Because a lot of IoT devices are intended for consumer use, they have default settings intended for easy set-up - for example, default credentials. Where possible, you should be looking to change these to something more secure, implement MFA where available, and always think about your password complexity. (If you need some help with your identity security, then here's one I wrote earlier...)

The other default setting commonly used is Universal Plug and Play (UPnP). In a corporate environment, this should always be switched off. UPnP essentially makes your devices discoverable so they can connect to your network with no configuration - great when grandma wants her Chromecast to work so she can catch up on Antiques Roadshow…not so great when you're hooking up to your corporate network with all of that juicy data.

Rule number three: switch off UPnP

Beware BYOD

While BYOD is a brilliant idea for things like mobile phones and laptops which can be easily secured and enrolled into secure MDM solutions, it's not such a great move when we're talking IoT.

Without the proper capabilities in place to track and assess risks associated with IoT devices, it's best to keep BYOD out of the workplace in this instance. If your CEO really wants to hook his smartwatch up to the corporate network, then make sure it's on a guest wi-fi network without access to the goodies on your corporate one.

 Rule number four: be mindful of BYOD.

So, there are four golden rules - told you it was simple! If you want to discuss the security of your IoT devices further, then drop us a line and we'll be more than happy to discuss how we can help!