Back in prehistoric times, cave people must have gazed at a fire with wonder while thinking, “Is it safe?” The answer, of course, was “It depends.” Safety precautions are necessary for every new tool.
Today, if you use any kind of digital technology connected via wireless technology to the Internet, including cell phones, computers, pet webcams, thermostats or TVs, the likelihood is that you have heard the phrase “Internet of Things.”
The phrase “Internet of Things” reappeared during coverage of last week’s DDoS attacks on major websites, including Twitter, Amazon, Github, and Reddit. This post will explain what is the Internet of Things (IoT), and also ask if it’s safe.
What Is the Internet of Things?
The Internet of Things is a rapidly expanding network of objects with built-in Wi-Fi connectivity to the Internet. Many are everyday items. Others, especially ones in the work world, may connect communication between people and machines or from one machine to another (machine-to-machine or M2M).
Examples of M2M connectivity include a department store’s retail checkout system linking to its inventory or the HVAC systems of a campus connected to the individual office buildings and to environmental controls within specific offices.
The Security and Privacy Risks of IoT Devices
A car is a good example of a familiar yet complex everyday tool that may seem easier, safer and more efficient to use when fitted with high-tech tools such as GPS and IoT devices.
For example, IoT sensors within a car’s operating system can identify when it crashes or stops working. In combination with the geo-mapping abilities of satellite-connected GPS, IoT devices can help paramedics, police, fire departments and other rescue teams locate drivers and passengers who are hurt or stranded.
But in June 2016 Tech Insider noted, “As cars become more ‘connected’ with onboard WiFi, cellular connections, or smartphone apps, that opens them up to many more vectors for attack.” Reporter Paul Szoldra offers the example of the Nissan Leaf hack, in which a cybersecurity researcher remotely drained the electric car’s battery.
The Leaf’s former smartphone app interface was not password controlled. Instead, it only required knowledge of vehicle identification number (VIN) for gaining access to a Leaf’s battery, mileage record, and climate controls. Nissan dropped the app. But a password controlled system is nonexistent for the operating systems of many cars, which become vulnerable to security risks.
In a 2016 report to the Department of Commerce, The Federal Trade Commission (FTC) outlined the following concerns about the privacy and security of IoT-connected devices:
- Lack of available updates and security patches. The report says, “Although similar risks exist with traditional computers and computer networks, they may be heightened in the IoT, in part because many IoT chips are inexpensive and disposable, and many IoT devices are quickly replaceable with newer versions. As a result, businesses may not have an incentive to support software updates for the full useful life of these devices, potentially leaving consumers with vulnerable devices. Moreover, it may be difficult or impossible to apply updates to certain devices.”
- Devices with hard-coded passwords. “As IoT devices offer new opportunities for consumers to monitor their daily activities, access content, and interact with the world, these devices also create new opportunities for unauthorized persons to exploit vulnerabilities that can facilitate identity theft or fraud,” says the FTC.
- Unauthorized access and misuse of personal information. Researchers at the FTC found “the presence of numerous third parties in apps connected to IoT health and fitness wearable devices. A number of those third parties collected data such as persistent device identifiers, workout routines, eating habits, the length of walking stride, medical search histories, zip code, gender, and geolocation”. The FTC concluded that some IoT devices are capable of “collecting, transmitting, and sharing highly sensitive information about consumer’s bodies and habits.”
- Facilitating attacks on other systems. The FTC is concerned that IoT-connected devices can be used maliciously against the consumer to a launch denial of service attack (DDoS) or a phishing email.
- Device eavesdropping. The FTC also pointed out concerns that a manufacturer or an intruder could listen in on you remotely within your own home. This especially a big concern for devices with a microphone and camera-equipped devices.
8 Ways Consumers Can Secure High-Tech Devices
So what can consumers do to secure their digital devices against these security and privacy risks?
- Consumer Reports’ number one tip for securing IoT objects is protection with “unique and complex passwords.” It adds that “if you haven’t already done so, make sure to password protect the settings on your router as well as its Wi-Fi connection.” Use strong passwords for all Internet-connected devices, including baby monitors, coffee makers and webcams.
- Lock your home’s Wi-Fi network with a complex password and be careful not to share it with anyone outside your family.
- Be aware that many IoT objects begin service with generic default passwords that owners should manually change before putting the objects into use. Default passwords often are written into an IoT object’s source code and can be easily obtained by hackers.
- Install password manager software, such as Dashlane, on computers, tablets, and smartphones to store and easily access passwords to browsers, apps, and online banking. Dashlane can sync your credentials on all these devices and also help create strong passwords.
- Use two-factor authentication, which requires a password plus time-sensitive code sent by text message to your smartphone.
- Install antivirus and anti-malware software on computers and mobile devices.
- Frequently check for software security updates.
- Set Bluetooth connections on laptop computers and mobile equipment to “not discoverable” when in crowded places, such as airports, coffee shops and other public places where there is a risk of another user pairing with your device and hacking into it for information. Better yet, when not in use, turn off Bluetooth connections on your devices.