Be Safer in the Internet of Things on Safer Internet Day!
By Rebecca Herold
Feb 7, 2022
In 2010 there were ~800 million retail internet of things (IoT) devices sold. Back then they were primarily fitness trackers and early versions of security cameras and nanny cams. Today there are over 20 billion retail IoT devices that have been sold; over 25 times as many as in 2010!
Smart toys, drones, smart dog collars, smart toothbrushes, smart toilets, medical devices, sports devices (e.g., smart helmets), voice response systems such as Alexas, driverless vehicles, and the list could go on literally forever. Anything can be made into a “smart thing” that attaches to the internet.
In fact, beyond those retail sales there are an unknown number of additional IoT devices that have been created by individuals using such devices as Raspberry Pis. No one knows how many of these exist. But based on anecdotal and subjective estimates, but it is likely in the billions as well.
Because of the complexity of the IoT products, there are many security and privacy vulnerabilities within IoT products. And so they are also a favorite target of cybercrooks, cyber snoops, and others who want to know how, when and where you’re using your IoT products.
You have the security and privacy risks with the IoT device itself. Then there are also risks with the associated cloud services, the associated apps, the smartphones and laptops where the apps are loaded, the wi-fi-networks, the public access, just to name a few of the many types of components that collectively are part of an IoT product.
So, in honor of February 8, Safer Internet Day, I urge you all to think about the IoT products that you have, use, or control. And also think about those IoT products that are being used in the vicinity of where you are located, potentially collecting your data, or recording audio, video or photos of the area.
For those IoT products that you own and control, do you have them sufficiently secured, to be safe from the threats of the internet? Here some key checks to make to see if you need to make any improvements on Safer Internet Day.
Security Must-Haves for IoT Products
- Never use default passwords. Change the password as soon as you power up or activate the IoT device, and before you actually start using it.
- Implement multi-factor authentication (MFA). It is significantly more effective security than using just one type of authentication.
- Limit access to your information. Most IoT products have a portal you can access through a touch screen, or through an app, to see information about your use of the IoT device, the videos, audio, locations, etc. Make sure only you and those you completely trust have access. You can change the settings to ensure this. I’ve been an expert witness in two separate cases that involved stalking and domestic violence, where the attackers got access to the IoT device portals of their targeted victims, and then they used the monitoring information at those portals to track down exactly where each of their targeted victims was hiding from the attackers. And they each ultimately did assault their targeted victims; each almost to death. So, make sure you limit access to all the data that your IoT products are collecting.
- Verify that the security controls work. Many incidents have occurred because the security controls did not work as described. Before using your security and safety IoT products (or any types of IoT, for that matter), make sure the MFA, encryption, access controls, and all other security capabilities actually work.
- Disable capabilities not used and not needed. Cyberattackers have hundreds of free tools they use that can indicate when such capabilities are activated, but not being used. This attracts cyberattackers to use those capabilities because they know the home dweller or business owner will probably not notice someone using them. If you don’t need to use a capability, disable it!
- Identify who has access to your video and audio recordings. Your home and business are your private spaces. You should know who is watching and listening to what is going on within those areas. This includes all the third parties with whom your IoT manufacturer and/or vendor is sharing the live streams, audio, and video.
- If your data, audio, and/or video is being shared with entities you don’t want to have such access, ask the IoT manufacturer and/or vendor to immediately stop sharing your information with those entities. If they refuse, then consider discontinuing use of that IoT product, and find an IoT manufacturer and/or vendor that will respect and fulfill your information-sharing requirements.
- Document the contact information for the IoT products. If someone has taken over your security system, or you suspect someone is watching you through your security cameras, etc., you will need this information to contact the manufacturers. Also consider contacting your local police.
- Hold manufacturers to their privacy and security promises. Keep a copy of those privacy and security promises in a digital file folder on one or more of your computing devices. These promises will typically be within the product documentation, and other promises will be on the IoT product manufacturers’ websites in their posted privacy notices and security policies.
- Take training that teaches how to securely use the products. The IoT product manufacturer, vendor and/or retailers should make such training easily discoverable to their customers, and easy to use. There is (finally) a growing amount of such training in IoT manufacturers’ YouTube channels.
IoT security, privacy and compliance is one of the specialties of Privacy & Security Brainiacs. We have a wide and in-depth wealth of IoT security and privacy knowledge and experience spanning over the past sixteen years. Here are some additional resources to help you secure your IoT devices, at work and in your non-work life.
We also have some online IoT classes coming soon!