A refrigerator that tells you there was a power outage — and whether it lasted long enough to spoil your food. Doorbells that show you who’s at the door, and allow you to communicate with them from across the country. Home medical devices that can collect data and transmit it directly to your doctor.
Present in countless applications, smart devices have begun to revolutionize the way we live and work. During Week 1 of National Cyber Security Awareness Month (NCSAM), we’ll be exploring the risks of unsecured smart/IoT devices and how to safeguard against them.
Smart devices are a subset of a larger group of internet-connected products known as IoT (Internet of Things) devices. These devices can be controlled remotely, usually through a smartphone app or webpage, and are capable of sending and receiving data without human intervention.
In the 20 years since the term was coined, the number of IoT devices has grown tremendously. According to Security Today, from 2018 through 2020, the number of IoT devices jumped from 7 billion to 31 billion, with 127 new IoT devices coming online each second.
By 2020, IoT technology is expected to be present in the designs of 95% of new electronics products. And over the next five years, the number of connected devices is forecasted to climb to 41.6 billion and generate a mind-boggling 79.4 ZB of data (for reference, the entirety of the World Wide Web, as it existed in 2009, was estimated to be less than half of one ZB.)
Smart devices are introducing conveniences that would have been unthinkable a decade or two ago — but they’re bringing with them a new set of risks that could endanger not only your privacy, but also your data, your other devices, and even other networks that you connect to.
For starters, there’s currently no standard for securing IoT devices — companies are free to put as much or as little security in their products as they want. When vulnerabilities are discovered, many times updates to address them are never pushed out, leaving these devices open to exploitation.
However, there are a number of other risks related to the way people use these devices. Many users believe they don’t have the time or expertise to adequately secure their IoT devices — and that, because they’re not a large business or high-profile individual, they’re unlikely to be targeted.
But now that the number of people working from home has jumped from 7% to 62% due to the ongoing COVID-19 pandemic, this is an increasingly untrue (and dangerous) assumption to make. Cybercriminals increasingly see remote employees’ home networks — and especially poorly secured IoT devices that connect to them — as a back door to compromise corporate networks with lower chances of detection.
According to the mid-year update to the 2020 SonicWall Cyber Threat Report, IoT attacks were rampant in the first three months of 2020, with January, February and March each racking up more attacks than their 2018 and 2019 counterparts combined.
Through September 2020, SonicWall recorded 25.6 million IoT attacks — a total which, by year’s end, may grow to surpass the number of IoT attacks in both 2018 (32.7 million) and 2019 (34.3 million).
While you can’t necessarily avoid being targeted, you can greatly decrease your odds of compromise by taking a few simple steps:
- Safeguard Your Router. Routers that by default are accessible with a simple password like “admin” — or no password at all — are easily accessible to cybercriminals. This is especially true when the default Wi-Fi network name (or SSID) reveals the brand of router, allowing hackers to simply search for that brand to find the list of default passwords associated with it. Ditching these defaults will go a long way toward increasing security.
- Stay Up to Date. Many devices offer the option to receive updates for firmware, vulnerability/bug fixes and more automatically. If this option isn’t enabled by default, turn it on. In cases where updates must be done manually, make a note on your calendar reminding you to check for them on a regular basis.
- Buy from the Best. Stick with companies known for prioritizing security in their offerings. These established brands are also more likely to push updates and patch vulnerabilities.
- Be Password Savvy. Password protection is significantly less effective when you use the same email and password combo for multiple accounts. If any of these accounts are breached, you’ve put your entire online existence at risk — and in the case of IoT devices connected to corporate networks, your company’s existence at risk as well. With the advent of password managers, which assign a different password for each account and remember them for you, there’s no excuse to be lazy with credential hygiene.
- Leverage Two-Factor Authentication. With two-factor authentication (2FA), you’re offered the security of the traditional credential-based sign-in, plus an added layer of protection in the form of a code that is sent to a separate device and must be entered into the original app. With 2FA, even if the login credentials are compromised, the account won’t be accessible unless the attacker also has access to the secondary device.
- Divide and Conquer. Many popular routers feature the ability to create a secondary guest network, which can also be used for the purpose of isolating your usually-less-secure smart home devices (and the malware that might infect them) from your laptops, desktops, sensitive data and corporate network.
- Do I Actually Need This? No matter how secure a smart device is, it can never match the safety and privacy of a non-internet-enabled device. Before you purchase a new smart device, ask yourself if the increased risk is worth the additional convenience and features. If you’re likely to use the smart features only occasionally or not at all, opt for the non-smart device.
The network of connections created by the Internet of Things creates both opportunities and challenges for individuals and businesses. As NCSAM Champions, SonicWall encourages everyone to be smart about smart devices. It’s all part of owning our role in stopping cybercrime and ensuring the security of our home and corporate networks.