How to Secure Your IoT Devices

Credit: Chesky/Shutterstock — (Prototype credit: Chesky/Shutterstock)

My friend Diane received a fitness tracker for Christmas. Information technology's the same model I use. Since the holidays, Diane has emailed me every other twenty-four hours with questions most her new gadget, trying to figure out its nuances.

There was 1 question she didn't ask, nonetheless, and it may have been the most of import ane: Is it safe to transmit data between the fitness tracker and her smartphone?

MORE: Why It's Easy to Hack IoT Devices

For this particular model of fettle tracker, syncing information technology with a phone or computer isn't necessary unless you want to calculate a lot of extra data. That's one of the principal reasons I use this one instead of another model.

But for many fettle trackers, data transmission to another device is essential if you lot want to know how many steps you've taken, or how many calories you've burned, considering those trackers don't have their own displays.

With that abiding flow of data between devices comes security and privacy risks. Smartphones oftentimes leak personal information — and there's no reason to call back wearable devices such equally fitness trackers and smartwatches are whatsoever different.

IoT Security Risks

My friend was one of millions of Americans who received a holiday gift that could be classified under the general augury of the Cyberspace of Things (IoT) — fitness trackers, smartwatches, home security systems and then on. If information technology is not a computer, smartphone or tablet, but even so connects to the Internet, information technology fits the description. Yet about of u.s. don't recollect twice virtually the security risks such devices pose.

Most of the states sympathize that when we log on to our computers to cheque e-mail or work online, there is always a security chance. You could accidentally open a malicious zipper or come upon a drive-past download due to embedded malware on a favorite website. Smart computer users accept taken precautions against these risks past installing antivirus and security software.

What many of us don't realize, withal, is that the devices that make up IoT are equally at chance for a security threat.

"As connected consumer devices become more powerful and gain more than capabilities, they will get more bonny targets for malicious actors looking to exploit these capabilities," said Rob Sadowski, managing director of engineering science solutions at RSA in Bedford, Massachusetts. "For instance, we have already seen attacks exploit vulnerabilities in consumer routers for use in DDoS attacks and consumer NAS [network-attached storage] devices for illicit cryptocurrency mining."

Unfortunately, just as the risks involving IoT have never been greater, security on these devices tends to be an afterthought, if information technology is even considered at all.

"Many vendors in the IoT infinite seem to have piddling or no concern regarding the safety and security of their customers," said Craig Young, a security researcher with Tripwire in Alpharetta, Georgia.

The government seems to agree. But this month, the Federal Trade Commission released a long report urging IoT device makers to "build security into their devices at the outset, rather than as an afterthought" and recommending that Congress pass laws mandating consumer notification of IoT-device security flaws.

Accept smart domicile hubs, for instance, which permit homeowners automate their electronics and their overall security. Young warned that these hubs tend to come with a lot of risks. For example, one of the top-selling dwelling house-automation hubs — Young wouldn't say which one — currently ships with a deprecated version of firmware that contains numerous publicly known vulnerabilities, equally well as a handful of new vulnerabilities.

"Despite these serious security problems," Young said, "the vendor has not updated the firmware in this device for over a year, even though they accept since adult a somewhat less vulnerable firmware. Even worse, the vendor has stated they have no intention of encouraging their users to upgrade."

How to Be Smart Most Your Smart Devices

Any homeowner who receives a smart domicile hub as a gift, or buys ane outright, should have every possible security precaution with the device. He or she should modify the default password, check for secure configurations, make sure that the dwelling Wi-Fi organization is securely protected and, terminal but not to the lowest degree, bank check the device manufacturer's website to come across whether patches or firmware updates are bachelor.

Many of the wearable devices received this holiday season crave a Bluetooth connection in order to sync the data with a smartphone, but yous might desire to reconsider leaving that connection open up.

"For Bluetooth-enabled devices, it's best to turn off Bluetooth when it'due south not beingness used," said Michael Kaiser, executive director with the Washington-based National Cyber Security Alliance. "It can save your battery a chip, besides. This will non let other Bluetooth devices to pair with your system or access your device."

More than: How to Secure Your (Easily Hackable) Smart Home

Of form, at that place would be no Internet of Things without the Internet. Owners of IoT gadgets need to follow the same basic security protocols they would employ on their computers.

"All consumers should take the time to look at the available security features for their device and enable them immediately," said Chris Czub, security inquiry engineer at Duo Security in Ann Arbor, Michigan. "Things such as passcode lockout or fingerprint-controlled access, while not perfect, are important for controlling who has admission to your device."

Czub recommended that dwelling routers accept strong, unique access passwords and apply the WPA2 security protocol. If your router is still uses the older WEP protocol, with your dog's proper name for the countersign, and then you're putting your home network at risk.

Private devices should have admission passwords as well, he added. You lot don't want a teenager halfway around the world to hijack the Webcam trained on your baby'south crib. If in that location's no obvious password to a device, ask its manufacturer whether one tin exist enabled.

Finally, owners of smart devices should keep checking for patches and updates on the manufacturers' websites, Czub said. Many IoT vendors haven't nailed down processes for automatically delivering trusted patches. Some devices may not fifty-fifty exist capable of beingness patched, or may require manual installation of patches. Regardless, keeping all devices (including smartphones, computers and routers) up-to-engagement is one of the easiest ways to forbid vulnerabilities from affecting you lot.

The bottom line is that consumers need to recall of, and treat, IoT devices as they would any other computing devices on their networks. If it tin connect to the Internet, it can exist hacked or compromised. Only similar your computer, your new device — even that fitness tracker — needs to be handled with proficient security practices from the moment you first turn it on.