SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
How safe are our IoT devices?
Wed, 29th Jan 2020
FYI, this story is more than a year old

It is certainly no secret that connected IoT devices are rapidly taking over the world. They are making their way into our homes in the form of smart televisions, media streaming devices, connected speakers, smart light bulbs and wall switches, talking fridges, printers, coffee machines, security cameras and a host of other devices. It is easy to see the appeal – they are fast, convenient, add a lot of functionality to a house and – at present anyway – are fun to have around.

But how safe are they really?

Research by internet security and antivirus company Avast has revealed that many devices are weakly protected, leaving them vulnerable to attack by hackers. OK, so one device in a house is vulnerable? Not a big deal really, right? This is more of a problem than it may seem, however. Once attackers have compromised one connected device on a network, they are “in” the network, and can access everything else as well – including more sensitive devices that contain personal information, such as the home PCs, phones and laptops. One weakly protected device can give hackers a pathway into anything they might want to attack on the network - and it is usually NOT the talking coffee machine.

Avast research has indicated that the humble printer is the most vulnerable connected device we tend to keep in Australian homes. Nearly a third of our printers are left exposed to hackers due to weak passwords. This is followed by network nodes and network attached storage (NAS), of which just under 20 percent are vulnerable.

Surely it is the duty of the manufacturers to make devices more secure at the point where they are produced, right? Well in fact, statistics reveal that of ALL the IoT devices manufactured around the world – and there are more than 26 billion at present, according to Statista  – 95 percent of them come from the same 5 percent of manufacturers.

This is a potential issue, in the sense that if just one element of a supply-chain is compromised, then it can have a flow-on effect in millions of devices. Many manufacturing and hardware vendors worldwide are actively looking to ‘harden' their cyber defences, and a big focus of this is the ability to know and oversee each step of the supply chain for a particular item. However, cost reduction is also a major issue for companies trying to remain competitive, so sourcing components from the cheapest suppliers around the world often results in vague or poorly-defined security practices at some point in the supply chain. This can leave components of a device more ‘open' than they should be, and therefore exposed to risk.

Devices are also often sold with a very basic level of encryption and weak standard passwords such as ‘admin' and ‘12345'. This makes set-up easier, which is a selling point for many connected devices, but of course means that they often stay on the network with the same weak passwords, connected to all manner of other devices which they leave exposed to attack.

Does this mean that all IoT devices are suspect, and should be treated with caution and suspicion? Certainly not. However, it does mean that consumers need to be more aware of the risks involved, and be more proactive in maintaining their own network security. This means changing those initial ‘set-up' passwords to something much harder to break. It means changing passwords at regular intervals as well, rather than the standard practice of ‘set and forget'.

Device firmware is also treated with the same pattern of behaviour, often updated at the point of initial setup, then left to fend for itself. Many devices have regular firmware updates which toughen up their cyber defences and provide improved functionality, but these often need to be applied individually, which requires the home-owner to proactively go into the device's web portal and update the software. Like most things in life, it seems like a good idea but generally just does not get done.

Setting up as many devices as possible on a central PC or server can help, as it provides an easy portal into each device, and if that device happens to have its own application then firmware updates are generally flagged and can be applied with a few button pushes. Updating passwords remains the main sticking point though, and needs to be done on a regular basis for optimal home network security. Making a database of all devices in the home, including their IP address, will help. Setting a regular reminder to check and update passwords is a good idea as well.

IoT devices are certainly here to stay, but if just one weak password can infect a whole network, it is vitally important to be proactive about maintaining them, and always stay mindful of the risks involved.