Internet-connected “Things"

The phrase “the Internet of things” (IOT) has gained currency over the past several years as more devices aside from traditional computing devices ​are being connected to the Internet. The term was coined in a 1999 presentation on the use of radio-frequency ID (RFID) chips to track items in the manufacturing and delivery process. Since then it has become a major issue in technology circles and a subject of much concern regarding the security implications of such Internet-connected "things."

Many appliances and other devices are connected to
the Internet now, primarily in order to provide for remote control and/or monitoring. Common examples include security cameras, thermostats, door locks, automobile systems, medical devices, and home lighting control systems (indeed, whole-house control systems). The Nest thermostat (and later smoke detector and cameras) was perhaps the first highly-visible and widely-known Internet-connected “thing,” and its popularity helped bring the issue of IOT to the forefront of attention in technology (IOT was at the peak of Gartner’s “hype curve” in 2014). The security of these devices is of concern, as vulnerabilities in medical devices and cars have been revealed over the past year, raising alarm at the potential for real-world harm from IOT security problems (not to mention creepy tales of hacked baby monitors.)

The problem of security for the IOT is primarily on the shoulders of the creators of these items at this point, to build better security into their products. But there are some steps you can take to improve the security of your “things":
  • Where IOT devices have dedicated passwords, ensure that you set a unique and strong password.

  • Most IOT devices use Wi-Fi; ensure that your Wi-Fi is set up securely.

  • Read the instructions to see if there is a process for updating the software on your “thing,” and check for updates.

  • Read up on products before buying, specifically checking for reported security issues.

  • Consider implementing a virtual private network (VPN) and accessing your “things” in that way rather than allowing them to be contacted through your firewall.

  • Consider placing your IOT devices on a separate Wi-Fi network firewalled off from your general-purpose network (may require using a separate Wi-Fi access point, or an advanced access point that supports multiple networks).

Comments

Post a Comment

Popular posts from this blog

Weekly Infosec News Brief: 14-20 March

Image
Major Media Websites Caught up inNew Malicious Advertising Attacks Last week multiple major advertising networks, including Google's DoubleClick, AppNexus, Rubicon, and AOL were abused by attackers to serve up malicious advertisements on major media sites. These malicious advertisements were redirecting to the "Angler" exploit kit, which uses multiple means to attempt to compromise a browser and install malware. While such malicious ads are common on smaller websites, they are not unheard-of on major media sites. This outbreak, however, was unusually large and long-lived, lasting at least the better part of two days. Given how common malicious web ads are, some security experts are recommending the use of ad blocking technology in web browsers. http://www.computerworld.com/article/3044565/security/advertising-based-cyberattacks-hit-bbc-new-york-times-msn.html Malicious Macros in Word Documents Used to Install Malware with No Files Needed Everything old is new a
Read more

Weekly Infosec News Brief 20-26 July

Image
FBI Sees Massive Increase in Espionage, Including Industrial Espionage, Against the US The FBI on Thursday issued a press release discussing what they believe is an increasing threat of economic espionage against US companies. They estimate that such espionage may cost the US as much as "hundreds of billions" of dollars a year. This espionage is not just directed against large industrial companies, but any place where trade secrets and innovations might be found, including third-party organizations (e.g. business partners, vendors, consultants, lawyers, etc.) affiliated with targeted companies. A key take-away is that the threat is more widespread than most people think, and that few organizations are immune. https://www.fbi.gov/news/pressrel/press-releases/fbi-announces-economic-espionage-awareness-campaign http://www.cnn.com/2015/07/24/politics/fbi-economic-espionage/ Microsoft Releases Out-of-Cycle Patch for Critical Font Driver Bug A flaw uncovered in connecti
Read more

Critical Vulnerability Discovered in IIS 6.0 Web Services

Image
IIS 6, the version that runs on Windows 2003 Server, was revealed this week to have a serious vulnerability that could allow an attacker to run malicious code on the server. The vulnerability has apparently been known to some malicious groups for some time, as attacks exploiting this vulnerability have been observed as far back as summer of 2016. But last week a proof-of-concept exploit for the vulnerability was posted to GitHub, bringing public attention to the problems and providing potential attackers with a head start on developing their own exploit code.  That is likely to take this from a secretive exploit used by a few actors to one that will be widely used by many attackers, meaning anyone running a vulnerable server is a likely victim. Vulnerability announcements are common, but this one is especially problematic for several reasons: IIS 6.0 is a part of the Windows 2003 Server operating system, which aged out of support from Microsoft almost two years ago. There are an
Read more