Matt Miller IoT Penetration Testing Home Security, IoT

IoT Devices in the Home

Today’s blog is just a quick update on home security. As a security professional, one of the most common questions I get from friends and family revolves around concerns they have from smart devices, or Internet of Things (IoT) devices, in their home. Should they be worried about their smart lock on their front door or the smart thermostat that has recently been in the news? Let’s just take a quick review of what you should do with IoT devices in the home.

The first thing to realize is that IoT devices are always constrained by one of three things: power, size, and cost. In general, these devices are made to be small, cheap, and often use batteries that don’t need to be changed constantly (like the door sensors as part of your alarm system). Additionally, like any new technology, IoT devices are usually rushed into production to be the newest and coolest thing on the market. As a result of these factors, security is often an afterthought if a thought at all for IoT devices in the home.

Luckily, this is starting to change. With the constant news coverage of IoT hacks, and increased attention from consumers, security is starting to be a priority. Additionally, the IoT Security Foundation, founded in 2015, is starting to gain traction, and is publishing all sorts of guidelines and best practices for IoT devices. Triaxiom has seen an increase in IoT Penetration Testing requests, which also shows an increased attention. So it looks like we are heading in the right direction, but there is still some cause for concern and there are a few simple steps you should take.

First, separate the IoT devices from the rest of your home network. Most, wireless routers have the ability to set-up multiple SSIDs these days. Some only have two, one designed for a guest network and one for a home network, but others, especially the more advanced ones, have the ability to set up as many as four. If you have the capability to use four SSIDs, for example, consider creating a dedicated IoT wireless network and placing all of your IoT devices on that SSID. If there are only two SSIDs, put the IoT devices on your guest network (bonus points if you can turn on client isolation). This way, if somehow one of the devices gets compromised, they are on a completely separate network from things your laptop and other sensitive devices.

Second, take a risk based approach. When I am considering a smart light bulb that is going to be on an IoT network, I do not particularly care if a hacker can access it. Although, it would be pretty creepy for it to randomly turn on. However, if I am buying a baby monitor or a smart fridge that I am going to integrate with my calendar, etc, I probably care a lot more. For the devices you care about or that can have a significant impact on your personal security, do some research. What steps have they taken for security? How do they protect your privacy? Do they support things like Multi-Factor Authentication? Here is a hint, if you are researching and not finding anything, assume there is no security!

Finally, keep an inventory of the devices and particular models you have, and periodically search for vulnerabilities associated with those devices or monitor public news sources. A quick google search for “Nest Thermostat Model Number XXXX Vulnerabilities” will show you any recent news coverage associated with that version and any security vulnerabilities that have been publicly disclosed. Again, for any vulnerability you find, go back to our risk based approach. How big of a deal is it to you?