If you’ve ever visited Phoenix during the summer, you know it’s hot. The kind of hot that can run your electricity bill through the roof if you like to keep the inside of your home habitable. My role at SiteLock takes me out of town on a regular basis, which means I don’t spend a lot of time at home and don’t necessarily need to cool it while I’m away. Why not give the air conditioner a rest, go a little greener, and save some money in the meantime? For many, that’s easier said than done. We have a tendency to forget to change the thermostat before leaving and end up with a stomach-turning electricity bill at the end of the month. Now, you could consider using a programmable thermostat, but if your schedule isn’t exactly static, it might not be the perfect fit. Most of the time I don’t even think about the thermostat until after I’ve landed in another city. It sure would be nice if I could set my thermostat remotely. I’ve decided it might be time to consider a letting the Internet of Things (IoT) into my home.
If you’re anything like me, you don’t like the idea of networked appliances. Growing up in the era of Terminator’s Skynet, I’ve never really let go of that mistrust for networked devices. For me, add to that a career in the cybersecurity industry where I’ve seen hackers pull off some pretty innovative things.
The majority of us enjoy gadgets that bring futuristic features into our everyday lives. Even those on the fence have begun to embrace IoT timepieces and vehicles. In my case, my home leans a little more Michael Faraday than George Jetson so security in such a complex device is important to me.
At this point we can probably concede that much of our discomfort with networked appliances is somewhat unfounded, and if properly researched, you can probably find the IoT device that fits your security criteria. If you’ve decided that it’s time to let the IoT into your home, here are some things you should be asking before making a purchase.
How long has the vendor pledged to provide updates?
One of the biggest concerns I hear and share is that the manufacturer may suddenly discontinue development of updates. The problem with many consumer electronics is their planned obsolescence. It seems like every month there’s some new cutting-edge technology that out-modes a device you’ve recently purchased. How long will it be before the manufacturer decides that you’ll need to buy the new version in order to continue getting updates? Ask.
Does it work without internet?
One of my biggest peeves about IoT devices is when they aren’t able to function without internet. It may seem far-fetched to imagine that your refrigerator would refuse to cool your groceries if you didn’t provide it with internet, but I’ve actually seen many devices that will go into a setup mode when the internet is disconnected and limit their original functionality. If you’re not going to use a particular feature, make sure you can turn it off.
What kind of data is collected?
You may not be particularly fond of the idea that your thermostat knows when you’re home and communicates such to the cloud (i.e. someone else’s computer). However, since it’s not a stretch to assume that like most of suburban America, you’re probably not home during weekday working hours, it seems like a small concession. What you should be most concerned with is how much personally identifiable information flows through the device into a server off of the internet.
If the device has email capabilities, can they be turned off at the source?
There’s been an interesting trend erupting in IoT appliances, like refrigerators and coffee makers, where the device has been commandeered for the purposes of sending spam email. That’s right, the next time you get an email from your international prince friend, you might want to question the blender.
If you’ve already made a purchase, here are tips to help you stay secure.
Change the default password.
There are websites that serve no other purpose than to list insecure IoT devices (e.g. those using default username/password combinations). The last thing any of us want is a stranger eavesdropping on the family baby monitor. Shockingly, this is happening every day.
Always keep the device updated. You may want to consider enabling patch notifications in lieu of automatic updates so that you can review the patch notes from the provider prior to installing, in case data collection policies or methods have changed. There have also been some edge cases where over-the-air (OTA) updates were pushed by an unauthorized third party, so make sure your device is only able to retrieve updates from the an authorized provider.
Utilize restriction options in your router/firewall to give the device minimal access.
As I mentioned, it is important to make sure the device can only communicate with parties that you have approved. Your router or network firewall will likely have options to help you do this. Some routers even allow for a guest network to be configured that is separate from the main network. If your router is able to do this, you should strongly consider using it to establish a demilitarized zone (DMZ) for your IoT devices.
Turn off Universal Plug and Play (UPnP)
UPnP is a nice convenience feature, but please turn it off. Set up your device, get it running the way you want to, and turn off UPnP. Forgetting to turn this feature off can expose your device to the entire world and you might find your device on one of those IoT eavesdropping websites I mentioned earlier.
If you’ve made it to the bottom of our checklists and you’re still feeling good about your new IoT device, you’re probably in good shape. While there are no guarantees in security, being informed and applying what you learn can significantly decrease the chances of unwanted circumstances.
Have an interesting IoT story? Tweet us at @SiteLock and share!