What is IoT?
IoT stands for the ‘Internet of Things.’
It means you can start your washer, with your phone, from work. Your fridge will notify you when you are running low on milk and let you press a button to re-order. And you can wake up to the smell of fresh bacon without getting out of bed.
It is all your things, connected.
“It just means that computers with wireless technology are being built into everyday objects,” said Jim Feely with Archer Security Group.
During National Cybersecurity Awareness Month, Archer News is asking the experts at its parent company, Archer Security Group, for answers to your questions about cybersecurity.
Boon and burden
You may think the Internet of Things would make your life more convenient. But some companies developing the connected devices may have a different word in mind.
“The important term people should associate with IoT is ‘profit,’” Feely said.
The cost of making connected devices is very cheap, and getting cheaper, according to Feely.
“This lets everyone who makes a gadget connect it to the Internet at a very low cost, and then sell it to you at a premium and continually bill you for access to it,” he said.
But the profit they’re making off of you often does not go to security, Feely added.
That means we’re buying things like smart coffee makers that are hackable, and smart kettles that leave the digital doors wide open for people who want to steal your passwords and do damage, researchers say.
We’re snapping up “stupendously insecure” connected light bulbs that can let bad guys into your computer and your accounts online, according to security experts.
A security researcher reported that these smart light bulbs sold on Amazon have poor security.
We’re getting baby monitors that may give strangers a window into your child’s crib, and even talk to your baby through the monitor’s microphone.
“Part of the profit model for IoT is focusing almost entirely on functionality and marketing, with minimal resources going to secure the devices,” Feely said.
One connected device can cause you harm, but now attackers are turning hordes of vulnerable IoT devices into robot armies that can bombard a website with data and shut it down.
Last month, attackers rounded up more than a million security cameras and DVRs with bad passwords or weak defenses and used them to pummel the site of journalist Brian Krebs, who had reported about an operation waging these very same kind of IoT attacks, known as DDoS attacks.
Another similar attack lay siege to Newsweek’s site after it published a story on presidential candidate Donald Trump’s alleged illegal business dealings in Cuba, reported Ars Technica.
That means you and your smart device may be helping attackers take down websites and businesses.
“The owners of those devices don’t care. Their devices were cheap to buy, they still work, and they don’t even know Brian [Krebs],” wrote cybersecurity expert Bruce Schneier on Motherboard last week. “The sellers of those devices don’t care: they’re now selling newer and better models, and the original buyers only cared about price and features.”
“What this all means is that the IoT will remain insecure unless government steps in and fixes the problem,” Schneier added.
Screenshot of Newsweek article published before massive September cyber attack on its site.
A push for change
Some customers may care, but are not sure how to stop attackers from getting in and using their connected things for evil.
There is a push to make the process easier for customers and keep the Internet more secure.
The European Commission is discussing a plan to make manufacturers certify the security of their IoT devices, labeling them like the energy-usage labels on refrigerators and washers.
Two companies––Underwriters Laboratories and ICSA Labs—announced certification programs for connected devices this year.
The Cloud Security Alliance just released its guidelines to help businesses make their IoT devices secure.
And the Federal Trade Commission provides recommendations for companies developing connected things.
“The Internet of Things has the potential to offer enormous benefits to consumers. Innovative companies are already selling connected devices, apps, sensors, services, etc., unlike anything we’ve seen before,” the FTC recommendations say. “But businesses need to consider security, too.”
The FTC urges businesses to build security into their IoT products in the agency’s IoT recommendations. Image via FTC.
Drawing a line
You don’t want to mix IoT devices with the computers that you use for the important stuff, Feely advised.
“When possible, it’s best to separate these devices from other computers that perform sensitive functions,” he said.
At work, that may be crucial.
“Businesses, health care, and other security-conscious entities should avoid putting IoT devices on the same network as their sensitive computers,” Feely said.
But also at home, he recommended—try to separate your smart things from the phones and computers you use for banking and other activities that require protection.
“Separating them on a home network is difficult today,” he said. “I think in a couple of years the ability to do so will be a common feature on many home Wi-Fi routers though.”
What can you do?
Cybersecurity experts recommend you put a password on all of your smart things, even your refrigerator and toaster. And make it a long, complex password, instead of something like ‘Fridge123’. You can keep all of your passwords in a digital password safe.
If there is a default password on the device, change it right away. Attackers can find lists of default passwords for connected devices on the Internet.
Make sure your Wi-Fi network is secure. Add a password, read over the security options, and set up encryption.
You can also ask companies for their security certification labels. If they don’t have them, they may feel encouraged to get them—and get more secure—if there is popular demand.
For now, remember this: many connected things making up the IoT—door locks, TVs, fridges, light bulbs and more—may be smart, but not always secure.
The Archer News “What is…?” series will continue with more answers to your questions. If you want to know more about a cyber term, send your question to @KerryTNews on Twitter or submit your question through this link.