This week’s theme of National Cybersecurity Awareness Month is “If you Connect It, Protect It”. In keeping with this theme, today I would like to talk about one of the largest growing areas of technology, the Internet of Things (IoT). The impact of IoT is immensely broad, affecting the way we travel, how we shop, the way businesses keep track of inventory, and many other ways. But what is the Internet of Things, how does it work, and ultimately, why should we care about it, and what, if anything, should we do about it?
The Internet of things – What is it?
In short, the Internet of Things is a network of Internet-connected devices that can gather and share electronic information. IoT fuses the physical world and the digital world together, bringing inanimate objects to life – connecting them to each other, to other things, and to ourselves – in order to gain context from our environment, to improve experiences, to create new ways of understanding the world around us.
Cars, appliances, wearables, lighting, healthcare, and security systems all increasingly contain sensing devices that can talk to other machines and trigger additional actions. A IoT device that directs your car to an open spot in a parking lot, mechanisms that control energy use in your home, control systems that deliver power to the University, sensors that determine inventory levels, and “smart” devices that track your eating, sleeping, and exercise habits are just some examples of the IoT’s variety and scope.
Why Should We Care?
IoT is growing rapidly, both in number of devices and sheer amounts of information generated. One of the aims of the IoT is to reduce the toil of routine and repetitive tasks and to increase efficiencies and insights based upon data collected. But with such connectivity and convenience, it requires that we share more information than ever. According to the International Data Corporation (IDC), in 2025, there will be 41.6 billion connected IoT devices generating 79.4 zettabytes of data (which is almost 74 trillion gigabytes).
In addition to generating information, that information can be collected; you see this often done by vendors of “smart” devices. The inclusion of visual, audio, and other sensory measures within IoT devices should give individuals and businesses pause in deploying such devices, given some of the inherent privacy and security risks that may exist; specifically, what exactly are these systems recording within their environments, and does that include personal and/or sensitive conversations that were never meant to be shared with the IoT vendor and their contractors? According to a recent study by Mon(IoT)r Research Group at Northwestern University, “smart” speakers accidentally activate as many as 19 times a day, recording as much as 43 seconds of audio each time.
This example is not intended to cause paranoia but foster awareness that the privacy and security of these devices and the information gathered are not always guaranteed. Though many security and resilience risks are not new, the scale of interconnectedness created by the Internet of Things increases the consequences of known risks and creates new ones. Attackers can take advantage of this scale to infect large segments of devices at a time, allowing them access to the data on those devices, or to attack other computers or devices for malicious intent.
What Can We Do?
The Internet of Things aims to make our lives easier and can offer a variety of benefits, but we can only realize these benefits if our Internet-enabled devices are secure and trusted. The following are important steps you should consider when selecting a IoT device and then making that device more secure.
Do your homework. Before purchasing a new IoT device, do you research. Look online to see if there have been any security/privacy concerns, check user reviews, and review what security features the device has or does not have.
Configure your Privacy and Security Settings. Most devices offer a variety of features that you can tailor to meet your needs and requirements. Enabling certain features to increase convenience or functionality may leave you more vulnerable to being attacked. It is important to examine these settings, particularly security settings, and select options that meet your needs without putting you at increased risk. If you install a patch or a new version of software, or if you become aware of something that might affect your device, reevaluate your settings to make sure they are still appropriate.
Disable features you may not need. IoT devices often come with features you will never need or use. If you can, disable those features to protect your privacy and enhance your security.
Think of where you put them. Especially for listening devices or those with cameras or other visual sensors, think strategically about where you place them in your home. Do you want these devices in a child’s room or where you have sensitive family or work discussions? Designate some of your home areas as “safe” rooms from IoT devices.
Ensure you have up-to-date software. When manufacturers become aware of vulnerabilities in their products, they often issue patches to fix the problem. Patches are software updates that fix a particular issue or vulnerability within your device’s software. Make sure to apply relevant patches as soon as possible to protect your devices.
Connect carefully. Once your device is connected to the Internet, it could allow attackers access to your device. Consider whether continuous connectivity to the Internet is truly needed and consider putting your IoT devices on a guest network. Why? Because if that device is compromised, it will not grant an attacker access to your primary devices and information.
Change default usernames and passwords. Passwords are often the only barrier between you and your personal information. Many IoT devices are configured with default passwords to simplify setup; however, default passwords are almost equivalent to having no passwords. Default passwords are easily found online, so they do not provide any protection. Create long and unique passphrases for all accounts and use multi-factor authentication (MFA) wherever possible to help secure your devices.
If you are assessing IoT devices for deployment at the University, please contact the IT Help Desk so we can determine the appropriate measures to best safeguard the device.
For more information regarding the Internet of Things, please refer to the following:
- Federal Trade Commission: Buying or selling a “smart” home?
- National Institute of Standards and Technology (NIST): What is the Internet of Things (IoT) and How Can We Secure It? (7 minute video)
- Online Trust Alliance
- Open Web Application Security Project (OWASP):
- Atlantic Council
- Department of Homeland Security
-Submitted by Jonathan Wagner