Now, there are many smart devices in our homes that do our jobs for us. Most of these devices can connect to the internet. They can both receive information from the environment using sensors (temperature, humidity, motion etc.) and they can be managed remotely with mobile devices. These devices are smarter than we have even seen which are called Internet of Things (IoT). However, there might be some unpleasant aspects of IoT devices. Are you aware of the risks, threats and security issues of IoT devices we use in our homes?
An interesting information about IoT can be given as follows: The IoT expression was first used by Kevin Ashton in a presentation in 1999!
To better understand the threats against these IoT devices, we need to give examples for some IoT devices and their features.
If you want your coffee to be ready when you get up in the morning, you can have a smart plug with prices starting from $10.Features:
Why shouldn't we use technology to be safe?Features:
Almost everyone uses a camera when they go to work leaving their baby at home.Features:
Don’t you want to receive daily brushing reports to your e-mail.Features:
Assigning the daily tasks to a robot sounds cool, right? Then, try smart cleaners.Features:
The IoT devices mentioned above definitely make our lives easier and better (yes even the toothbrush does that). Everyone agrees on this matter. We only want to draw attention to the risks and threats of using these IoT devices in our homes.
As you can see, there are lots of treats and vulnerabilities when IoT device characteristics are considered.For example, if you can access your microphone remotely, why can't a malicious attacker do that as well?.
Similarly, what happens if an electronic device starts to work due to an smart plug error when it is supposed to be turned off?
No one wants a malware to start operating smart home security systems by accessing your smart phone application.
You have bought a security system for your home. You started to manage this system remotely from a mobile application. What happens if your phone is infected with a malware and this malware starts using the application?
Or what happens when your smart devices became slaves (botnet) for someone else and started mining cryptocurrency? No one wants to pay higher electricity bills.
You get the idea!
Let’s generally categorize the IoT device security risks for home users..
Firstly, let's look limitations of IoT devices for security hardening,
Making changes on IoT devices to be more secure might not be as easy as it sounds. Lots of IoT devices are designed for end users. So, these devices do not have advanced modes to change security settings. Almost all IoT devices do not have a debug mode and you cannot see what is happening inside the device. We have lots of gadgets to make security testing for IoT devices, but it can be challenging even for us.
Generally, IoT devices do not have an update mechanism. By update mechanism we mean an automatic or easy method to apply any software patches. Let’s be realistic: an end-user cannot follow the firmware update process step by step. They need an easy and clean update mechanism.
IoT devices do not use well-known protocols. Because of that, security researchers cannot apply old methods or software to check IoT device security.
Producers fail to give enough information to determine whether using an IoT device is secure or not. You cannot be sure about important things such as getting regular security updates or using the best practices to share information over the network.
Attention: If you are working in the IoT Industry, please follow 'Code of Practice for consumer IoT security' document published in 2018 by government of the United Kingdom.
So far, we have talked about some limitations about security and IoT devices. It’s time to learn what we can do as end users.
Most of the threats against IoT devices come from the Internet. Malicious people need to be physically close to your system for any internal threat to pose a real risk. Although this is not impossible, internet scenarios show that the possibilities are really low.
Do research about the manufacturer before buying the device. Is the manufacturing company large enough to provide support when you need it? Has the product been updated before? How can you update the product? If you can, go to the manufacturer's official website and see if there is any information about vulnerability or cyber security issues.
Check updates regularly. Unfortunately, you have to check all critical software updates for your IoT devices manually. If there is an update, download it and patch the software as soon as possible.
Pay attention to the mobile phone security. Note that although this is entirely a different subject, many IoT devices have a mobile app. If a person can control your phone, that person can also control these apps.
Make sure about your router (modem) security. Some IoT devices need a modem configuration to access remotely. If you are using any port forwarding rule or if you have any misconfiguration on your modem, an attacker can easily access to your IoT devices just like you can. This is the worst case scenario for the IoT devices. The reason for that is not only having hackers but also the companies providing TCP ports and service banners to the search engines are scanning the internet (such as zoomeye and shodan). In this sense, you need to be careful that you are not invisible. You can use your free router/modem security scan service to check your open ports and services.
If you can, restrict your IoT device's internet access. Don't you think it is scary to have an IoT device that can access to the internet with a microphone or camera?
Do not ignore the risks of IoT devices that connect with the physical world. It may be a good idea to have insurance for possible worst case scenarios. This might be another sensor or any alarm mechanism other than the built-in IoT device sensors that might pose a risk.
That’s all for now. Be safe and contact with us if you want more information.
IoT definitions given here are collected from different sources. Although the definitions are different from each other, 'sensors' and 'automated' communication seem to be common for all the definitions.
By the way, our favorite definition comes from Wikipedia.
Wikipedia definition: The Internet of things (IoT) is a system of interrelated computing devices, mechanical and digital machines provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.
A definition from a White Paper: The IoT is comprised of smart machines interacting and communicating with other machines, objects, environments and infrastructures. Source: KOZLOV, Denis; VEIJALAINEN, Jari; ALI, Yasir. Security and privacy threats in IoT architectures. In: BODYNETS. 2012. p. 256-262.
A definition Article: The Internet of things (IoT) provides an integration of various sensors and objects that can communicate directly with one another without human intervention. The “things” in the IoT include physical devices, such as sensor devices, which monitor and gather all types of data on machines and human social life. Source: Alaba, Fadele Ayotunde, et al. "Internet of Things security: A survey." Journal of Network and Computer Applications 88 (2017): 10-28.
Definition of the Government: Internet of Things (IoT): Communication of multiple devices and machines connected to the internet through multiple networks. Source: citc.gov.sa