• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Internet of Everything   »   IoT Device Security At Home

IoT Device Security At Home

  • Posted on:September 20, 2017
  • Posted in:Internet of Everything, Security
  • Posted by:
    William "Bill" Malik (CISA VP Infrastructure Strategies)
0
What do security vulnerabilities mean for the IoT?

 

My girlfriend read something that worried her about the security risks posed by Internet of Things (IoT) devices at home. She had recently purchased a new TV, and she has an older home security system. She asked if her privacy might be at risk.

We talked about the kinds of problems an unprotected home network can cause.

 

 

These include, in no particular order:

  • Compromised cable modems can give unauthorized Internet access
  • Malware-infected PCs can reveal personal information and passwords to financial applications
  • Infected PCs and IoT devices can host bots, launching DDoS attacks, spam, and fake social media posts
  • Hijacked storage (as on smart TVs) can store stolen data
  • Compromised home sensors reveal occupants activities and absences
  • Compromised sensors can post false usage, increasing utility bills
  • Subverted monitors can let dysfunctional individuals blurt hate speech into the home

We decided to run an informal audit.

First, we looked at the cable modem. Built in 2004, it had no available updates. We contacted the internet provider and ordered a replacement. It arrived after a week or so. The new device was manufactured in 2015, so the first thing we did was update its firmware – there were cumulative updates outstanding. We turned off “SSID broadcast” and set up the “guest” network. Next, we moved the IoT devices from the primary network to the “guest” network so they could not communicate among themselves or eavesdrop on the active devices.

We looked at what was talking to the network, and found over a dozen more devices:

1. The smart TV

2. A wireless printer

3. Her laptop and mine

4. Her phone and mine

5, A desk-side machine used as a media server

6. The home security system:

  • Motion detectors
  • Video cameras
  • Sensors monitoring carbon monoxide, water in the basement, and smoke

7. The remotely-readable electric meter

The smart TV was recent, so patching was simple. Ditto for the phones and PCs, although some phone manufacturers are better than others providing timely patches. The printer took updates from the manufacturer’s Support site: Drivers and Downloads. The home security system has proved to be a bigger challenge. The vendor is moving a bit slowly providing the most recent capabilities. It may be enough to consider switching technology.

Are we safe? We are safer. We do not enable Bluetooth, so the BlueBorne vulnerability will not affect us. The electric meter is outside our control, which is a problem. It could reveal when the house is empty. My car is “e-chatty,” but not with her home systems. Her car is older and does not chat with any external networks.

Homeowners should know what they have in their homes, and keep it secure. What should a homeowner do?

  • Identify all devices that connect to the Internet from your home.
  • Make sure they have current software patches.
  • Limit access to these devices from the internet.
  • Isolate them so they cannot communicate with one another, or scan your home network.
  • Set your cable modem or router to minimize inappropriate traffic.
  • Do not broadcast your SSID.
  • Use the “guest” network to isolate your active systems from passive IoT devices
  • Change the default passwords to your devices (you can change them back by resetting the device, if you need to).

Protect yourself against malware. Do not click on suspicious email attachments or links. Use long passwords. NIST has reversed its earlier guidance about complex passwords (upper case, lower case, special characters). Instead, use a long easy-to remember password such as “largelightening884” – the one from an older router I once had. Do not use that one. Finally, use a cross-generational security suite that provides layered protection. Trend Micro makes one.

Let me know what you think! Post a comment below or tweet me: @WilliamMalikTM.

Related posts:

  1. Finding a Better Route to Router and Home Network Security
  2. My Photos Are Gone! How to Protect Your Home Network
  3. Keep Your Smart Home Safe: Here’s What You Can Do Today to Secure Your Products
  4. Securing the smart home

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Trend Micro Offerings Are FedRAMP Authorized and Available on AWS
  • Fujitsu and Trend Micro Demonstrate Solution To Secure Private 5G
  • Trend Micro Receives 5-Star Rating in 2021 CRN® Partner Program Guide
  • Smart Factory Cyber Attacks Knock Out Production for Days
  • Eliminate Hesitations: Security Simplified For Those Building In The Cloud
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.