The Internet of Things: Is it safe? How can you make it safer?
The “Internet of Things” (aka: “IoT”). Maybe you’ve heard of it, maybe you haven’t, but chances are, it’s heard of you. You’re part of it if you own a smart speaker like Amazon Alexa or Google Assistant, or a web-connected video camera, or a smart TV, lock, thermostat, or light bulb, or even a wearable activity tracker.
IoT devices have computers and internet connections built in. That’s what makes them “smart”: they can process data, connect to outside services, and, increasingly, figure out what to sell you and how to convince you to buy it.
But it also makes them a potential security risk. Anything connected to the internet can conceivably be hacked and remotely controlled by someone else. And if it’s also connected to all your other home devices, it might be used to break into those, too.
How serious a risk is this? And how can you reduce it, even if you can’t completely eliminate it?
Beyond the inherent risks of anything “internet-connected,” early IoT devices often disregarded security in strikingly careless ways. Frequently, manufacturers paid virtually no attention to security, prioritizing ease of use and the lowest possible cost.
The result: hackers gained control over millions of devices, and used them to launch coordinated attacks on websites they chose (or were paid) to victimize. In other cases, baby monitors have been hacked by troubled individuals who seem to enjoy spying on babies and their parents. Many other networked IoT devices with cameras, such as security systems, have also been revealed to include major security holes. Some even had deliberate backdoors built into them for the manufacturer to access at will.
There have been few standards for IoT home security, but they’re beginning to emerge. Recently, Mozilla, the Internet Society, and Consumers International established five voluntary guidelines for IoT devices. They say IoT devices should:
- encrypt all network communications;
- install security updates automatically;
- require users to define their own strong passwords;
- have a system for managing newly-discovered vulnerabilities;
- and offer clear, easy-to-find privacy policies.
That’s basic stuff, and it doesn’t guarantee that a device is safe. But it’s a good start – especially because a companion site, Privacy Not Included, is compiling lists of products that do and don’t meet these standards. Even some slick, brand-name devices still fall short. Check before you buy.
(In January 2020, California will mandate its own basic IoT security standards. After that, you may start seeing products that claim to meet California standards – and choosing these may also make sense.)
What about devices you already own? Do an informal audit.
Walk around your home, and identify any device that might be connected to the internet. Disconnect anything you’re no longer using. (That’ll save electricity, too.)
Now, dig out the manuals if you have them. (Search for them at the manufacturer’s website if you don’t). If the product comes from some obscure company that can’t be found on the internet (or offers only bare bones instructions that ignore security), it’s a bigger risk.
With manuals in hand, look for ways to:
- Change the password for each device. Many IoT devices are set up with standard out-of-the-box passwords that hackers can easily discover. Change them to unique passwords only you know.
- Turn off risky features you may not need. One example is UPnP, which helps devices find each other, but has often been implemented unsafely. Akamai recently found devices from 73 manufacturers with significant UPnP security flaws. Turn off UPnP and see if that causes problems with your device; you may be fine without it. So, too, if your smart refrigerator can be managed remotely across the internet, that might be a feature you could live without.
- Update firmware. Sometimes manufacturers provide security updates to the software built into your device. The manual should tell you where to find these and how to install them.
Finally, let’s turn to how your network is organized. To begin with, your devices should be behind a firewall, protected from the public internet. (If they connect through a wireless router that has a firewall turned on, you’re probably okay there.)
But ideally, you should go a step further: set up a guest network that cordons off your IoT devices from your home computers, laptops, and storage devices, so hackers can’t hop between the two. Many modern routers let you do this. (Again, find the manual: the details vary by manufacturer and model.)
You’ll generally start by browsing to a web page where your administration tools can be found, and entering your password. Once you’re in, name your guest network and establish its own security settings, including its own password.
Finally, once you’ve set up your guest network, make sure your IoT devices are connected to it, not to your main network. That might involve resetting them and entering new credentials.
We admit: all that work is a pain. But you only need to do it once. Then you can take advantage of the cool stuff IoT devices deliver, without that nagging concern: who’s breaking in and “owning” me?