How to Secure Your (Easily Hackable) Smart Home
As more devices and appliances with Internet capabilities enter the market, protecting those devices from hackers becomes critical. Unfortunately, many of these non-computer, non-smartphone devices — from toilets to refrigerators to alarm systems — weren't built with security in mind.
So what can someone who's already bought one of these devices do? When it comes to the so-called Internet of Things and the connected home, it's best to proactively secure the home network. There is no antivirus software for a smart TV, but you can protect your Wi-Fi network so hacking the TV doesn’t become a backdoor into your home.
The risks of the Internet of Things
The Internet of Things is a catchphrase referring to commonplace devices and appliances — such as thermostats, automobiles and refrigerators — that are connected to the Internet. It also includes Internet-connected "wearable" devices, such as fitness bands or Google Glass. The market for Internet of Things devices will hit $7.1 trillion by 2020, according to estimates from analysis firm International Data Corp.
Connecting everyday devices to the Internet seems like a great idea, but users need to be mindful of the risks, warned JD Sherry, vice president of technology and solutions at Tokyo-based antivirus-software maker Trend Micro.
"No one is going to keep the door to their house unlocked," Sherry said. "You need to think [the same way] about the appliances on your network."
MORE: Best PC Antivirus 2014
For example, fitness bands that monitor the wearer's location could give hackers details about daily routines and patterns. So could alarm systems that can be remotely accessed via smartphone apps. Burglars could use data stolen from either type of device to know when to break into homes while residents are away.
The good news is that many people already think about protecting their data, according to a survey of 1,801 tech-savvy homeowners in 11 countries conducted for network-security provider Fortinet.
In the "Internet of Things: Connected Home" survey, the results of which were released in June, 70 percent of respondents said they were somewhat or extremely concerned about the prospect of a data breach as a result of connected appliances.
Protecting the perimeter
What do Internet of Things devices have in common? They are all somehow connected to a network. Networking infrastructure is what makes the Internet of Things possible, and as more types of devices get assigned Internet Protocol addresses, it becomes even more important to stick to network-security basics.
"The sad part is that protecting the device itself is near impossible," said Christopher Martincavage, a senior sales engineer at cloud-security company SilverSky. "Consumers need to focus on their perimeter and do the basics."
First, accept that "you will be compromised," Sherry warned, adding that users should lock down as much as they can and invest in fraud monitoring and identity protection.
The Internet of Things is not a case of "just connect and you are done," Sherry said.
How to make your connected home more secure
Here are some steps to protect your home network and the gadgets connected to it.
Secure the wireless network. The old Wired Equivalent Privacy (WEP) protocol is still widely used, but it is weak and easily compromised. Make sure the home wireless network is instead protected by the Wi-Fi Protected Access II (WPA2) protocol and a strong, complex password.
Give your Wi-Fi network an obscure name, or SSID, that doesn't give attackers personal information they can use in social-engineering attempts. For instance, don't call it "[Your Name] House." Instead, call it something random, such as "FBI Surveillance Van."
Disable guest network access entirely, and to be strict about who — or what — can get on the network.
Create two different Wi-Fi networks if your router can handle multiple SSIDs. Trey Ford, global security strategist at security company Rapid7, suggests one network for computers, tablets and smartphones used for online banking, shopping and general Web activity; another network can be for smart devices.
Good password management is essential. Neither network equipment (such as routers and switches) nor newfangled gadgets (such as smart TVs) should use default factory-set administrator passwords. Change each admin password to something suitably strong and complex, and regularly change them going forward. When possible, usernames should be also changed to make it even harder for attackers to brute-force their way in.
Firewall the network, either with a stand-alone appliance or software that ships with the router, to restrict incoming connections.
"Every home with an Internet connection should have [a firewall]," Martincavage said.
Most networked IoT devices include information about the ports, network protocols and IP addresses used in the owner's guide or the support website. Set the firewall to allow traffic on those specific ports and no others. Port restrictions will cut down on opportunistic network-probing attempts.
"If [devices] require a wide-open access to, or from, the Internet, beware!" Martincavage said.
Install a unified threat management appliance (UTM) if you have a highly-connected home, Martincavage suggested. It will handle intrusion detection and prevention, manage the Internet gateway and provide network antivirus protection.
A good UTM — small-business models start at about $300 — will have signatures and countermeasures to detect and stop the more common network entry points that attackers will use, Martincavage said.
Security tips beyond the network
Once the network is secure, examine each IoT device you own— and what it is doing. Disable remote-management access and other powerful network tools if they won't be used.
Perhaps your car lets you connect to Facebook. If you don’t plan to check your Facebook page while driving, don't hand over your credentials to set up the connection. Use your phone instead — it's safer.
Install security software wherever possible, such as on mobile devices used to control IoT devices. If attackers can access a smart garage-door opener or a smart thermostat via a malicious Android app instead of by hacking the device directly, they will go with the easier option.
Check manufacturers' websites for firmware updates on a regular basis, as Internet of Things companies can be slow to patch vulnerabilities and push out updates. Install each update right away. Updating the firmware is particularly important for networking gear such as firewalls and routers.
Pay attention to brands. Consumers expect smart-device vendors to take proper steps to secure the platform, Martincavage noted. But if the manufacturers don't take security seriously, or claim the underlying platform is "hacker-proof," be wary. Better-known brands are less likely to risk their reputations this way, he said.
Things will get better
Security companies are well aware of the threats to Internet of Things devices and are developing new features and products, including remote-connection authentication, virtual private networks between end users and their connected homes, malware and botnet protection and application security, said John Maddison, vice president of marketing at Fortinet.
In Fortinet's survey, about 40 percent of respondents said they would definitely pay for a new router optimized for securing Internet of Things devices, and 47 percent said they might. More than 50 percent said they would pay their Internet service providers for security features to protect their devices.
"As the amount of smart devices increase, I predict we will see an explosion of consumer-level security devices that will allow the average home user to secure their network with little configuration," Martincavage said.
Attacks against Internet of Things devices are not yet imminent. Cybercriminals are not lurking on networks trying to hack into IoT devices, nor is malware waiting to scoop up personal information from smart refrigerators and hacked fitness devices.
However, the Internet of Things hasn't really hit the mainstream yet. Demand for connected devices is currently driven by early adopters, and Trend Micro's Sherry estimates that widespread adoption is still 18 to 24 months away.
In Fortinet's survey, 61 percent of U.S.-based respondents said the connected home would likely happen within the next five years. Regardless of when the tipping point actually hits, there is no doubt that criminals will be ready to take advantage of vulnerabilities.
"The battle for the Internet of Things has just begun," Maddison said. "The ultimate winners of the IoT connected home will come down to those vendors who can provide a balance of security and privacy vis-à-vis price and functionality."
- 10 Things You Didn't Know Could Be Hacked
- How the Internet of Things Could Kill You
- 7 Scariest Security Threats Headed Your Way