Protecting the Connected Home

The connected home is conceived to improve our lifestyles and provide convenience. Along with that, we demand ease-of-use and something that we can plug-in and use. Welcome to the Internet of Things (IoT). Currently, there are no enforced security standards for IoT devices, so when a company builds an IoT device, the priority is merely building the IoT device. In other words, IoT devices are going thru the same evolution as most applications and cloud systems out there: The discovery that security is not the priority. And that means we are open to attack.

Jackson Shaw, Director Product Management at One Identity noted:“Home firewalls sold by ISPs like your local cable provider or mobile wireless company are all stuck in the 90s from a security/firewall perspective. They do not scan packets, look at source/destination of packets or do anything other than provide the most basic protection. They are simply woefully inadequate at protecting the average consumer from today’s threats. Is your local ISP themselves running advanced security and threat detection software internally for their customers and network? I certainly have no idea if my ISP does that. I hope they do but they’ve never, ever sent me an email about a threat or security concern.”

Jackson added: “As an example, take a look at the attached graphic. This is a historical analysis of my IP traffic via a commercial firewall installed in my house. I have an internet connected TV, thermostat, temperature/humidity monitors and a camera. Why is 6% of my traffic with China? Is it legitimate? Is it a hacker? Have I been hacked? I know I don’t order take away from China so I’m not sure where all that traffic is going or what it is!”

Other risks include data being collected by these IoT devices which could provide useful information about a person’s individual movements. In the wrong hands, this data could be compromised.  The company providing the data and storing it on behalf of the user needs to have sufficient measures in place to prevent that from occurring.  

“Other considerations: I have a thermostat controlled via the internet. What if it was turned off during the winter when I am not at my cottage? Many people put tape over their laptop cameras. Many homes have IP-connected cameras. Who else is watching you or your property? Because so many IoT or IP-connected devices have not been security tested we have no idea if hackers have taken over those devices to do nefarious things. They could potentially be used for DDoS services on a world-wide basis. Or your refrigerator might be doing it’s job for you *and* for someone else: http://www.bbc.co.uk/news/technology-25780908” - concluded Jackson.

There are measures that can be followed within the home to increase security– the wi-fi hub should be secured; changing the default administrative username and password on the hub and also on any IoT devices connected should be a priority; as well as a strong password for the wi-fi network. Then adding wi-fi protected access (WPA/WPA2) to provide encryption.  Filtering out unnecessary communication protocols within the home firewall should also be done.  On the end-point (smartphone) ensure that key steps are taken; use a password or if available a two-factor authentication approach  and then set the device to auto-lock if it is not being used.  Remember the smartphone effectively is the control panel for your personal IoT devices. It is also worth looking at the configuration of each of the controlling apps – does an app really need to have the microphone access which turns it into a remote listening device if hacked! And then always keep the apps up to date – patches are released regularly and these often have security enhancing features or remediation built into them – which help protect them further.

As the Internet of Things continues to evolve; the associated security challenges need to be resolved. As in our daily work-life – these embrace key factors:  Availability; Identity; Privacy and Security. Availability is concerned with ensuring that there is constant connectivity between end-points and associated services; Identity covers authentication at the end-points; Privacy in reducing the potential of harm to end-users and then Security – which ensures the overall system integrity can be validated; audited and monitored. All best practice principles that will flow down from the workplace to make the connected home a safe and secure place to be.

Anonymous