Last week, security researchers warned that cyber criminals could exploit an Internet of Things (IoT) network – smart light bulbs and their control bridge — to launch attacks on conventional computer networks in homes, businesses or even smart cities. The researchers from cybersecurity firm Check Point discovered vulnerabilities in the communication protocol used by Philips Hue smart lightbulbs — a marquee smart home device that relies on the Zigbee protocol.
The research, which was done with the help of the Check Point Institute for Information Security (CPIIS) in Tel Aviv University, Israel was disclosed to Philips and Signify (owner of the Philips Hue brand) in November 2019. Signify confirmed the existence of the vulnerability in their product, and issued a patched firmware version, which is now via an automatic update.
The smart bulb issue is not surprising – given that smart home market is ever-expanding, from lightbulbs, thermostats, and doorbells, to dishwashers and even your front door locking system, each connected to the Internet and forming an integrated network. There were an estimated 14.2 billion connected devices used in 2019, and by 2021, the total number will reach 25 billion, according to Gartner. This opens up new threats from hackers and data privacy concerns.
Yaniv Balmas, Head of Cyber Research, Check Point Research says, “It’s critical that organisations and individuals protect themselves against these possible attacks by updating their devices with the latest patches and separating them from other machines on their networks, to limit the possible spread of malware. In today’s complex fifth-generation attack landscape, we cannot afford to overlook the security of anything that is connected to our networks.”
Another survey by Rambus finds that an estimated 80% of IoT devices are vulnerable to being hacked. As well as denial-of-service attacks, as with the smart bulb example, other forms of attack include the theft of personally identifiable information. This can arise from the loss of data generated by unprotected smart appliances.
There are privacy issues to contend with as well, as an article by Techtree points out how smart assistants are listening conversations, with the data collected and analyzed in order to construct detailed profiles about device owners so that advertisements can be targeted.
By implementing a few basic IoT security precautions, businesses can seal common entry points into their network.
From the vendor’s side:
- Every IoT device should come with a clear explanation of how any data created is transmitted, how and where it is stored and for how long.
- Every IoT device should make clear whether that data it creates is encrypted (and how) and who has access to the data and the keys
- IoT device makers should keep a list of what of the data collected they are analyzing or reselling, even if anonymised, and a list of who they sold it to.
- Users of IoT devices should be able to see what data is being held and have the right to have it permanently deleted.
- All IoT devices should be capable of being automatically upgraded if bug fixes become necessary
IoT Security for corporate and home users
- Businesses should establish and enforce procedures to change default passwords for every IoT device on the network. The updated passwords should be changed at periodic intervals.
- Separating the corporate network from vendor-managed and unmanaged IoT devices by applying an Access Control or network access ports is essential. This might include HVAC systems, security cameras, temperature control devices, electronic signage, smart televisions and network-connected lighting.
- Prevent IoT devices from communicating with the internet unless absolutely necessary. Doing so can seal a potential backdoor into your network and notably reduce the risk of an average IoT security breach.
- Companies should control which vendors are allowed remote access to IoT devices. When remote access is absolutely necessary, ensure those vendors use access through the corporate VPN solution. Companies should also designate a staff member as the individual responsible for monitoring remote access solutions on a daily basis.
- Implement a Network Access Control (NAC) solution. A NAC solution with proper switch and wireless integrations can help an organization improve IoT security by detecting most devices and identifying rogue connections to the network.
- Run an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) on the network. It is recommended that businesses update their signatures regularly to catch known attack patterns once an IDS is in place. A lot of IDS/IPS solutions will pick up communication to known threat locations.
- Ensure proper management of all IoT devices. Inventory management will ensure remotely managed devices are cataloged, with records in place detailing registration, configuration, authentication, and other pertinent device data. This can be done with proper firewall management practices.
- Remove unsupported operating systems, applications, and devices from the network. For example, Microsoft no longer patches Windows XP or Windows 7. So if the vendor has gone out of business or no longer provides updates for the device, it also should not be connected to the network.