How you can protect your smart devices from cyberattack
Today’s digital products are ‘a computer hacker’s dream’ – leading to a huge rise in the online theft of personal documents, bank details and identity fraud
Digital home assistants do offer a lot of convenience.
You do not need to get off the sofa to adjust the lighting and can live greener by commanding appliances to activate only when you need them.
Yet what happens if your products using the Internet of Things (IoT) – the network of physical devices, vehicles, home appliances, and other items that are embedded with electronics, software and sensors which enables them to connect and exchange data – go rogue?
Recently a couple in the United States discovered that their Amazon Echo home hub, which uses Alexa software, had recorded one of their private conversations and sent it to an employee in the husband’s contact list.
Amazon later responded that “an unlikely string of events” had led to the error, and conceded that the device had misinterpreted the couple’s speech – as artificial assistants tend to do.
The conversation had been quite innocuous – a discussion about hardwood flooring, apparently – but imagine if it had been more of a personal nature.
Without having adequate privacy protection on devices that listen to every word – and sometimes have webcams as well – “people are booby-trapping their own homes,” Michael Gazeley, a Hong Kong-based cybersecurity expert, says.
Gazeley, managing director and co-founder of Network Box, a provider of internet threat prevention and security devices, compares the risk of cyber intrusion to leaving all the doors and windows open in your house.
“Every connection from your home network to the internet is a potential conduit for ‘the bad guys’ to enter your theoretically private sanctum,” he says.
“From the moment your home network is compromised, your personal documents, bank account details, family photographs, indeed anything and everything you store in digital form may also be compromised.”
The huge growth in smart device usage over the past few years has seen a corresponding explosion in cyber risk, Gazeley says.
“The bottom line is that each smart device is potentially another way into your home – another way to access your data, abscond with your money and steal your identity.”
Most IoT devices “are a hacker’s dream”, designed with consumer convenience in mind, but “with little or no thought for cybersecurity”, he says.
“Smart televisions, Wi-fi routers, multi-function printers, IP telephones [phones using internet protocol technology to make calls over the internet, rather than tradition landlines], connected refrigerators and even baby monitors not only have easy-to-guess passwords, such as username ‘admin’, password ‘1234’, but those that don’t still end up with their default login details searchable by Google – usually posted by the manufacturers themselves,” Gazeley says.
“If that isn’t disturbing enough, Shodan, the infamous search engine dedicated to finding internet-connected devices, can be used to find known IoT smart devices that have default passwords that cannot be changed at all.”
So, does this mean that consumers should avoid all smart devices?
“The short answer is ‘no’, because many of these devices are genuinely great improvements on their ‘dumb’ counterparts, and also because there are ways we can protect ourselves,” he says.
“The longer answer is that we should make sure we choose smart devices that can be easily and regularly updated, and have usernames and passwords that can be changed.”
To block both incoming and outgoing cyber threats, unified threat management (UTM) devices should be installed on all home and office network gateways, Gazeley says.
“CISCO, Check Point and, of course Network Box, are examples of systems that could be used.”
However, he warns that over the past few years there has been a trend to force cybersecurity vendors to put “back doors” into their products.
Gazeley says users should search on Google for the name of the brand of UTM they are thinking of buying, and the term “back door”, to see if it has had such known issues in the past.
“If a back door exists, and how to access it ends up on the Dark Web [the part of the internet accessible only through the use of special software, which allows users and website operators to stay anonymous or untraceable] then your firewall or UTM device may suddenly be rendered useless,” he says.
“Cloud-based” computing – involving the use of a network of remote servers hosted on the internet which store, manage and process data, rather than a local server or personal computer –, is now ubiquitous.
So, for those who work from home, protecting sensitive data stored in the cloud is a must.
This was emphasised in May when the FBI warned that Russian computer hackers had compromised hundreds of thousands of home and office routers worldwide and could collect user information or shut down network traffic.
Up to 56 per cent of professionals surveyed for the 2018 cloud adoption and security report, “Navigating a Cloudy Sky: Practical Guidance and the State of Cloud Security”, said they had tracked a malware infection back to a cloud application – up from 52 per cent in 2016.
View this post on Instagram
A post shared by McAfee (@mcafee) on Apr 27, 2018 at 1:58pm PDT
McAfee, a device-to-cloud cybersecurity company, which published the report, said: “Just over 25 per cent of the respondents said their cloud malware infections were caused by phishing, followed closely by emails from a known sender, drive-by downloads and downloads by existing malware.”
Grant Bourzikas, McAfee’s vice-president and chief information security officer, says anyone with a home office should use on-point security that is cloud enabled.
“In addition, if applicable, businesses need to educate any employees,” he says.
“It is important that multi-factor authentications, data encryption and patched auto-updates are turned on for any device.”
People working from a home office have the same needs as those in a larger organisation: to protect their data in rest and in transit, he says.
“It should always be encrypted – mostly because if an employee loses their IoT device, their emails and data are gone as well.
Additionally, if users work from a coffee shop or restaurant, a VPN – a “virtual” private network using encryption over the internet – will help.
“VPNs allow secure channels and protect from man-in-the-middle attacks and malware.”
McAfee has developed solutions for insecure mobile applications, Bourzikas says.
“For example, McAfee sees a trend of third-party apps being installed that take data and emails from employees’ phones,” he says. “So our solution will help to prevent that data loss.”
“In short, my advice is: keep it simple. Select a security vendor. Focus on the business. Let a security provider handle the data.”
Cybersecurity expert Nicole Eagan also advises that, in the age of artificial intelligence (AI), where cyberattacks are automated, merely putting up a firewall or other passive cyber protection mechanism may not be enough.
Ransomware outbreaks such as WannaCry, Petya and NotPetya are “machine-based attacks” that “move in machine speed says Eagan, chief executive of Darktrace, a leading AI cyberdefence company.
“[For adequate protection, companies] have to build a dynamic ‘immune system’ for their networks and consider people working from home.”
She says by using Darktrace’s proven AI to power real-time threat detection within the cloud, “organisations and individuals are identifying misconfigurations and emerging threats in a critical part of the digital infrastructure”.
The company’s latest Darktrace Cloud – an AI solution to protect the next wave of cloud computing models, applications and devices, was released in July.
10 tips to make your smart home more secure
Norton, the US company which provides antivirus and digital security software, has advice for improving the protection of your personal data.
1. Give your router a name The name the manufacturer gave it might identify the make or model. Choose an usual name not associated with you or your street address.
2. Use a strong encryption method for Wi-fi access In your router settings, a strong encryption method, such as WPA2 for Wi-fi network access, will help keep your network and communications secure.
3. Set up a guest network Keep your Wi-fi account private. Visitors, friends and relatives can log into a separate network that does not tie into your IoT devices.
4. Change default usernames and passwords Cybercriminals probably know the default password that comes with IoT products. Check that the device you are buying does allow the password to be changed.
5. Use strong, unique passwords for Wi-fi networks and device accounts Avoid common words that are easy to guess, such as “password” or “123456.” Consider a password manager to increase your security.
6. Check the setting for your devices If your IoT devices come with default privacy and security settings, consider changing them as these may benefit the manufacturer more than the consumer.
7. Disable features you may not need IoT devices come with a variety of services such as remote access, often enabled by default. If you don’t need it, disable it.
8. Keep your software up to date Mobile security is important, since you may connect to your smart home through mobile devices.
9. Audit the IoT devices already on your home network Check if newer models might offer stronger security.
10. Do the two-step Two-factor authentication – such as a one-time code sent to your mobile phone – can keep the bad guys out of your accounts.