According to a 2014 HP report, titled “Internet of Things Research Study,” 70 percent of the most commonly used Internet of Things (IoT) devices contain vulnerabilities involving password security, permissions and encryption.
“While the Internet of Things will connect and unify countless objects and systems, it also presents a significant challenge in fending off the adversary given the expanded attack surface,” said Mike Armistead, vice president and general manager, Fortify, Enterprise Security Products, HP, in response to the report.
So what challenges should you be aware of when it comes to IoT? Here are the three biggest issues, and what steps you should take to protect sensitive data when using non-traditional Internet-enabled devices.
Concern No. 1: Unlawful surveillance/invasion of privacy
“The Internet-connected modules installed on various devices (e.g., cars, toys, home appliances, etc.) can be used for unlawful surveillance,” says Daniel Dimov, security researcher, InfoSec Institute. “For example, an Internet-connected door lock can be used to monitor when a person enters or leaves their home,” he says. And smart TVs and child monitors can watch you.
“These types of threats are not merely speculative,” he adds. “Vulnerabilities have been found and documented in several Internet-connected modules installed in cars, medical devices and children's toys.” And let us not forget Samsung Smart TVs.
“Before you buy a connected device, do your research,” says Caroline Tien-Spalding, senior director of marketing at ArcSoft, a photo and video imaging software development company. “How is your data protected and encrypted? Where is it stored? Does it include an option for a public stream?”
One way “to defend against IoT attacks is to segment your network, which means creating two different networks in your house, separating your IoT devices from the network that houses your personal computer and mobile devices,” says Stephen Coty, director of Threat Research at Alert Logic, which provides security and compliance solutions for the cloud.
“This will help limit the exposure if you are compromised through an IoT device,” he says. “Personally, I have three different networks in my house. One for my IoT devices, one for my family to use with their personal devices and another that I use for my workstations and servers as part of my job.”
Also be sure to “change your connected device password,” as soon as you install the IoT device, says Kent McMullen, senior director, Internet of Things, Symantec. “Since most connected devices have IP addresses, hackers can find a way to access them. Enterprises and consumers can protect themselves, [however,] by changing default usernames and passwords immediately after installation and regularly updating these credentials.”
Just “ensure that the passwords you're creating for IoT devices are unique and complex [i.e., include a combination of uppercase and lowercase letters, numbers and special symbols], as many IoT devices only require the use of simple passwords or other simple authentication methods to manage themselves, allowing attackers to eavesdrop on the data stream,” adds Aamir Lakhani, security strategist, FortiGuard Threat Research and Response Labs at Fortinet, a network security company.