As the Internet of Things (IoT) grows and more people adopt smart home technology, we need to think about balancing features and capabilities with cybersecurity. This blog covers a few devices and services that you might need to be aware of in order to protect your home, personal information or your organization.
Remote access is often seen as a convenience feature allowing easy access into your home network or your company’s private environment while you are out and about. Remote access can be used to unlock a door, set the A/C temperature, start the oven, or access your personal document files. However, enabling remote access for yourself also enables it for hackers. You are giving attackers a target point to attempt to breach your security and intrude upon your private network.
Seriously consider whether the convenience is worth the risk. If you still implement remote access, be sure to use a strong encryption system to protect both the initial connection authentication as well as all subsequent data exchange. Also, implement a multi-factor authentication scheme so a simple password attack will not be sufficient to breach your network.
Asset tracking allows you keep track of where a device is located. This can be done by an active or passive means using GPS or wireless triangulation system. An active system allows the monitor to reach out to the device at any time to demand location information. A passive system waits for the device to call home to update the monitor with its location data.
Asset tracking might be a useful tool, but it might also violate your privacy. If your device, which you take with you everywhere, is tracking your location at all times that information might become accessible to a boss, manager, co-worker, or outside attacker. If asset tracking is considered necessary, be sure to implement an auditing system of who uses the tracking and require multi-factor authentication to access the tracking data or trigger an active location event.
Mesh networks are an exciting technology. They may allow you to deploy more robust and flexible networks without having to implement as many anchor points (i.e. wireless base stations). Some smart home technologies have adopted mesh networking as a means to interconnect the smart devices. If the devices involved in a mesh network are not themselves independently secure and resistant to intrusion, remote control, or breach, then they could be a vulnerability point.
Often mesh network devices have a link into a primary network, such as your home wireless network. If a member of the mesh network is compromised, this could enable an attacker to access not only the other mesh network members, but also the devices on your private network. Be cautious about selecting mesh networking equipment. Stick with solutions that use encryption which is customized and unique to your implementation. Stay away from any systems which have preconfigured hard-wired network passwords or encryption codes. They do not provide robust security. If you are not convinced that the members of your mesh network are secure, then don’t connect the mesh network to your private network. Instead, provide the mesh network a separate networked path to the Internet which does not intersect your private network.
Software flaws are in every program. Since humans are the ones who write code, errors are almost a guarantee. While vendors attempt to eradicate software flaws before releasing a product, they might not spend as much time and effort as the security community believes is prudent. With pressures to meet release deadlines, trying to beat a competitor to market, or running low on funds to pay for quality assurance, code is released before it has been thoroughly scrutinized. Once a hacker discovers a bug or flaw in released code, they often craft an exploit to take advantage of that flaw. Then, it is only a matter of time before your is targeted. Hopefully the flaw or exploit will be discovered, a patch is made available and installed before a breach takes place. Thus, you must be vigilant at keeping firmware, OS, and software patched as well as selecting vendors with a reputation of higher quality and secure code.
Devices with the ability to record or monitor physical world events and activities are known as cyber-physical systems (CPS). Whether monitoring your water usage, tracking your electricity, managing your HVAC system, brewing coffee, controlling your oven, monitoring your presence in a room, turning lights on and off, watering your yard based on rainfall, or responding to your voice commands, cyber-physical devices have an inherent risk of privacy violations. It is important to determine who has access to the data being collected by these devices. There are several questions you should ask. Is it only accessible to you the immediate owner or can the vendor access it as well? Is the data being collected being aggregated by the vendor and what are they doing with the collected data? Is there an opt-in or opt-out option? Don’t implement a smart home mechanism until you are aware of the data it collects and what is done with that data.
One final thought is interoperability. With the explosion of new smart home and IoT devices over the last year, it is clear that many vendors are battling to be the dominate player. Many of these devices use proprietary connection technologies which are incompatible with devices from other vendors. If you install such a device, you may be locked into one vendor’s ecosystem of devices. If you have already implemented numerous devices from many vendors, you might not be able to use a single management or control system/interface/app. This can be frustrating. And may encourage you to avoid implementing any new devices that might further the non-communication and interaction.
I would recommend that you survey the various vendors and consortiums. Many of them are beginning to adopt or create interoperability standards. Before you select your first IoT device, consider other devices you might have an interest in implementing in the near future and whether or not they are likely to interact with each other. If they do not currently have a standard of interoperability, you might want to wait until they do or select other devices that offer community interaction. What’s the point of a smart home if you need six or seven different control systems? Or if your HVAC does not communicate with your lights which do not interact with your home security system?
Implementing IoT devices and smart home solutions is more complicated than just purchasing a new microwave or television. It requires some consideration both on use, communication, privacy, and security. Avoid buyer’s remorse by thinking carefully about every aspect of smart devices before you invest your time and effort.
Building Cybersecurity Champions