The Internet of Things (IoT) has subtly crept into our daily lives over recent years – studies show that many of us aren’t even aware we’re using IoT devices!
IoT includes anything that connects to a network. That means your Fitbit, Alexa, Amazon Echo, smartwatches, pacemakers and even some features in your car are all part of the IoT.
And while these devices have made our lives easier, smarter and more enjoyable, experts at one of our recent UKFast webinars raised the issue that there is no widespread security or standardisation for IoT devices.
This means that all your personal data, like how many hours sleep you’ve had or what food you like to buy, could be out there anywhere in the world because, let’s be honest, no one reads all the terms and conditions when there’s a nifty new device to play with.
Scary, right? Well, here are several important steps highlighted by our webinar speakers that you can take to make your IoT devices more secure.
The webinar experts:
No one enjoys reading the terms and conditions. However, according to Peter McGinnis, next time you get a new device it is worth skimming the small print for certifications that have been obtained by the manufacturer.
One example of certifications designed for IoT devices is the Underwriters Laboratories Cybersecurity Assurance Programme – UL CAP for short – which provides a standardised way of testing products. UL certification has three levels: Product Testing UL 2900-1, Product Testing UL 2900-2x and Process Testing 2900-3.
In the webinar, Peter refers to this as ‘segmentation’.
At home, many WiFi routers will support a guest network that visitors can connect to without compromising any shared files or devices on your main network. Using this method to separate IoT devices with questionable security is also a good idea.
This also applies to businesses that allow employees to bring their own IoT devices to work and connect to the WiFi network. At the very least, experts recommend that IoT devices are isolated to the guest WiFi so as to avoid internal network security issues.
In the case of, for example, medical devices, the advantage of having an IoT device fitted often far outweighs the risk of having unsecure data. And as Lorenzo Grespan rightly pointed out: “Medical devices are thoroughly tested because the interest is to keep someone safe.”
However, if it’s just a coveted gadget, think about how your data is treated and if it’s worth the risk of it being shared. Peter also pointed out that some manufacturers send device data to their headquarters (which could be half way across the world) for processing before the end user receives the information. Are you happy with that kind of exposure for your data?
Lorenzo stressed that new isn’t always the best option when talking about commercial devices.
He said: “In commercial industries, the aim is to push out as many products as possible to make a profit. This doesn’t really align with security; we often see regression because development overtakes security considerations.”
Lorenzo also said that waiting a few months for any teething problems to be resolved could save you and your data a headache. He went on to say: “Consumers must be cautious and assume IoT devices have a problem that will come to light eventually.”
Shockingly, Jed Kafetz revealed that people often keep the default password to their IoT devices, which poses a huge security risk and is actually one of the easiest steps to secure your network!
He said: “A lot of the devices [security testers] are able to get into are routers because people keep their default passwords. Routers control a network’s traffic so if we are able to capture one of them then we are able to control and monitor the traffic – we basically then own the network.”
*Casually runs home to change router password*
It’s all well and good changing your password once and making sure that your networks are separate, but if you don’t regularly change your passwords and keep an eye on what devices are connected then your efforts may be wasted.
For the highest level of security, passwords should be changed every few months or, at the very least, once a year. Long passwords of at least ten characters, which contain a mixture of numbers and letters, are the hardest to crack.
Last but not least, the easiest way to avoid security issues is to not connect devices that don’t need to be connected. It’s as simple as that.
Security is a shared responsibility between manufacturers and consumers. Though it was agreed that manufacturers can do more to safeguard the data stored on IoT devices within the design process, it is also up to us as consumers to make the devices as secure as possible.
If you want to know more about how you can secure IoT devices, watch our free on demand webinar