In this blog, our partners at East Midlands Special Operations Unit (EMSOU) promote good cyber security among businesses and the public.
Smart watches, televisions, baby monitors, security cameras, environmental controls and even fridge freezers - all are examples of IoT (Internet of things) devices as they use Wi-Fi or cellular networks, such as 4G or 5G, to connect to the internet.
Unfortunately, many IoT devices were built with very little security in mind – famously illustrated by a presentation given to the Wall Street Journal CEO Council in April 2018, where it was reported that hackers had breached an automated thermostat of a casino aquarium and through it, had stolen the casino’s high-roller database.
Fishing attacks aside, a recent study suggested that 84% of more than 3,000 companies, had admitted to having some type of IoT breach.
Indeed, one of the biggest drivers for IoT is the requirement to run buildings as efficiently as possible.
In this respect, the convenience of intelligent devices controlling and reporting on power, lighting, heating and ventilation as well as physical security is obviously apparent.
These systems have to be both visible and accessible both internally and externally via the internet, which could unlock back doors into an organization’s core systems and data.
Purchasing strategies to minimise security risks
➼ Look for a reputable manufacturer, which might increase the likelihood of purchasing a device with security built in from the get-go.
➼ Look for a reputable retailer, who may have stricter rules with regards to the supply chain, ensuring that the device gets to you as intended by the manufacturer.
➼ Look for devices that permit changes to default password. A default password is easily discovered from the vendor and provides poor cyber security. Use 3 random words with a sprinkling of upper and lower case letters, digits and symbols for peace of mind.
➼ Look for devices that can be updated. Updates and security patches fix software vulnerabilities that are easily exploited by malicious cybercriminals. This is security 101!
➼ Look for device that does only what you need it to. This might seem rather obvious but the more functionality the device offers, the more complex the software and firmware is likely to be. Unfortunately, complexity and security are not always the best of buddies. Ideally, you need to keep the attack surface to a minimum.
➼ Look at device connectivity. The majority of IoT devices (pump sensors, temperature gauges, etc.) use Telnet, which communicates in plain text without encryption. This includes any passwords used to authenticate to such systems. Not good! Consider instead SSH or TLS connections if available.
Management strategies to minimise security risks
➼ Security starts at home. According to a recent survey regarding IoT security:
• Fewer than 20% of respondents could identify the IoT devices in use
• 49% did not keep an inventory of devices
• 56% did not keep an inventory of IoT applications
• 58% could not determine if IoT and 3rd party safeguards were adequate
Simply put, you cannot defend your assets, if you do not know they exist or how they operate. Nor can you manage these risks over time.
➼ Position Devices Securely. Installing an IoT device in a secure location could reduce the risk of physical compromise. Treat it like you would anything of value – behind lock and key!
➼ Use Logical Segmentation. This is especially helpful when IoT devices are intrinsically insecure such as having no clear upgrade path or hardcoded passwords. By separating them onto a different network, you are preventing would be assailants from using these devices as lily pads to leapfrog onto other systems.
➼ Disconnect IoT where possible. Sometimes, the device does not need to be externally accessible (via the internet) just internally accessible (via the LAN). Connect to the former only when necessary to reduce the likelihood of an attack. Indeed, if the device is unlikely to be unused for any length of time, it might be worth turning it off completely. Be mindful to update and patch every time your reconnect.
Disposal strategies to minimise security risks
➼ Perform a factory reset. This can sometimes erase data stored in local memory and will reset usernames, passwords and settings back to default.
➼ Disassociate the IoT device, by removing any pairings or permission to other devices, networks, associated applications or online accounts. An online account, in particular, will also need to be deleted if not longer required.
➼ Remove any removable media (e.g. USB flash drives, memory cards etc) attached to the device. Removable media may contain personal data that is not deleted in a factory reset and should be physically removed, physically destroyed and disposed of separately.
Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to email@example.com. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).