IoT Device Security and Privacy

When we hear the term “Internet of Things,” we may think of devices we use in our homes, such as thermostats, smoke alarms, kitchen appliances, televisions, door locks, and cameras; however, these devices go well beyond the home and are widely used across industries. IoT devices play a prominent role in our lives and offer many benefits, such as increased efficiency and performance, economic advantages, and convenience. As with most technology, with opportunity comes risk. Devices connected to the internet remain vulnerable and yet, security and privacy of IoT devices are often an afterthought. Users may believe these devices are secure out-of-the-box or once setup is complete; however, it is often necessary to adjust security and privacy settings for adequate protection.

What is the IoT?

IoT is defined as the “network of physical objects—'things’—that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the Internet.” IoT devices exist in consumer, commercial, industrial, and infrastructure environments. Devices for consumer use include connected vehicles, wearable technology, connected health, appliances, and home automation or “smart home" devices, including lighting, heating and air conditioning, media and security systems, and camera systems. Other, more tailored, IoT devices are used in many industries to facilitate their operations and include those used in medical and healthcare, transportation, manufacturing, agriculture, communications, and energy.

Security and Privacy of IoT Devices

Users are often required to take extra steps to protect IoT devices as they may not be secure out-of-the-box, they connect to other devices and networks, and they transmit and store data. Due to their network access and data, it is vital to ensure confidentiality, integrity, availability, and privacy is maintained. The National Institute of Standards and Technology (NIST) outlines leading practices for IoT devices. Legislative efforts surrounding security, privacy, and data ownership of IoT devices—including when data is collected and stored in the cloud for processing—continue to progress slowly despite the lack of international standards. A first step to improving the security of IoT devices is the new US regulation, the Internet of Things Cybersecurity Improvement Act of 2020, which addresses supply chain risk and requires the establishment of minimum security standards for IoT devices owned or controlled by the federal government.

IoT devices have become a primary target for threat actors over the years as user adoption continues to grow. Threat actors can exploit vulnerable devices, impacting other connected devices and networks and resulting in the unauthorized access to, alteration, disclosure, destruction, and unavailability of data. Vulnerable home routers, combined with compromised IoT devices, such as home security cameras, increase the risk of criminal activity and cyberattacks. Compromised IoT devices and connected home networks could have further implications when devices connected to the home network also connect to a corporate network. IoT devices connected to a corporate network may introduce additional vulnerabilities and increase risk.

Cybersecurity Impacts

Threat actors can use publicly-available tools to search for devices that possess easily exploitable vulnerabilities. A search engine, such as Shodan, exposes these vulnerable devices and reveals device information such as the make and model, location, IP address, operating system, open ports, running service, and more. With this device information, a port scanner, low-level skills, and public tools, they can gain unauthorized access, often by using default login credentials, brute-force attacks of easy-to-guess password combinations, or credential stuffing. Threat actors can take over vulnerable IoT devices to create a botnet to commit further attacks, such as distributed denial-of-service (DDOS) attacks. In these attacks, the infected devices are used to generate an excessive amount of network traffic designed to overwhelm a website, server, or online service so that legitimate users cannot access it. A bot list—containing device information and credentials for servers, home routers, and IoT devices—is a common component of an IoT botnet operation and can be publicly disclosed, which may lead to further attacks. These attacks demonstrate the importance of using strong, unique passwords, enabling multi-factor authentication (MFA) where available, and keeping devices up to date.

Other incidents impacting home users involve the use of vulnerable and/or insecure security cameras and video doorbells, such as Google Nest and Amazon Ring. Security cameras are typically installed on the outside of homes and are increasingly being installed inside of homes, including bedrooms. Threat actors may use scare tactics to target security camera owners with sextortion emails purportedly having compromising footage of victims, and they threaten to release the private video or nude photos to the public if payment is not made. This is typically a scam, especially if there is no basis for the email. Parents, especially those with small children, may benefit from security cameras as nanny-cams to observe activity in nurseries and playrooms; however, threat actors can infiltrate these devices to spy on and harass children and their families. The invasion of privacy in this example is a result of weak passwords, password reuse, and the presence of known vulnerabilities.

IoT devices can also be used to traumatize innocent families through the use of swatting, in which threat actors falsely report a serious law enforcement emergency in order to dispatch police or emergency service response teams to another person's address. In Virginia, a threat actor hacked the security cameras due to password reuse and the lack of MFA, made a hoax 911 call claiming a family member may commit suicide, and screamed out "Help me!" through the security cameras when police arrived. He livestreamed the footage for entertainment and charged people to watch online. Another swatting prank in Florida involved a hacked security camera and then a call to the police to falsely report killing his cheating wife and hoarding explosives. When police arrived, the threat actor made insults through the security camera. Another swatting call in Georgia could have turned deadly when a threat actor hacked into the security camera and called the police claiming a person was shot. Police surrounded the home with innocent family members inside. They discovered it was a prank when the threat actor spoke to them through the security camera to change all of their passwords and stop using the same one for everything.

As a result of vulnerable or insecure IoT devices, these examples of cyber incidents reinforce the need for users to follow cybersecurity best practices, including changing default credentials for all devices/accounts, establishing strong passwords, refraining from using the same password for multiple devices/accounts, enabling multi-factor authentication where available, and updating devices.

Practice Good Cyber Hygiene

IoT devices can provide threat actors with additional attack vectors to connect to networks, infect other devices, and exfiltrate data. Below are some general device cybersecurity best practices:

• Change the default password. Default passwords for devices/accounts can be used to gain unauthorized access.
• Use unique, complex passwords for all devices/accounts. Unique passwords for each device/account prevents password reuse attacks, in which threat actors obtain your password for one account and use it to compromise an additional account using the same credentials.
• Enable multi-factor authentication (MFA) where available. MFA is the use of two or more factors to authenticate to an account or service. This significantly reduces the risk of account compromise via credential theft in which your password has been exposed. Although MFA may seem like an inconvenient step in addition to account credentials, it is an important one—not only to protect an individual account, but also the community at large.
• Refrain from sharing login credentials or other sensitive information. Login credentials and other sensitive information should not be shared with anyone or saved on your computer or cloud storage platforms.
• Keep devices up to date. IoT devices often do not receive automatic security updates. Stay informed about publicly-disclosed vulnerabilities and update devices—including firmware—to the latest version to ensure they are patched against known vulnerabilities that could be exploited by threat actors to gain unauthorized access to your device and/or data. If a device is unable to receive updates from the vendor, consider not purchasing or discontinuing use of the device.
• Check privacy and security settings. Check these settings to help manage your cyber risk and limit how and with whom you share information.
• Secure physical devices. Safeguard devices and ensure a password/passcode is enabled for all devices to prevent unauthorized access in the event a device is lost or stolen.
• Cover and/or disconnect your camera when not in use. Cover or disconnect your camera when not in use to help prevent malware from taking control of your camera to spy on you and your surroundings. Additionally, when the camera is in use, ensure no sensitive information and images are visible.

IoT devices will likely use a home wireless (Wi-Fi) network for internet connection; however, the Wi-Fi router may not be set up securely. If a Wi-Fi network is left unsecured, a threat actor could potentially gain unauthorized access to the network and the devices connected to it. As a result, personal, financial, and otherwise sensitive data could be exposed, and their access may lead to other types of malicious activity. Below are some recommendations to help protect your network, data, and devices from unauthorized access and other malicious activity. Additional details for implementing the recommendations, as well as steps to set up a Wi-Fi router, can be found in the NJCCIC Configuring & Securing a Home Wi-Fi Router post.

• Change the router default username and password. Default router credentials are often publicly available and can be used to gain unauthorized access to your network.
• Change the network name (SSID) and establish a complex password. Default SSIDs may give away the router’s model, which could provide threat actors with information necessary to obtain the router password (if using default credentials) or determine potential vulnerabilities that could be exploited. Use an obscure network name that cannot easily be associated with your household and establish a password that is complex and difficult to guess.
• Disable SSID broadcasting. This prevents unauthorized users from detecting your SSID or network name when searching for available wireless networks in their range to potentially connect to and engage in malicious activity. A user would need to know the network name to attempt to connect to the network.
• Enable WPA2 with AES (or WPA3, if available). Wi-Fi Protected Access versions 2 and 3 (WPA2/WPA3) are both recommended options for ensuring data on devices connected to the network is properly encrypted and secured. WPA and WEP are considered unsecure options and should be avoided.
• Update your router’s firmware. Unlike software that provides automatic updates or prompts users to install updates, Wi-Fi router firmware needs to be manually downloaded and installed. Without firmware updates, routers may contain known vulnerabilities or use outdated encryption that could compromise the security of the network. When compromised, routers are often attack vectors used by botnets to launch attacks such as DDOS attacks.
• Create separate networks for different devices. Creating separate Wi-Fi networks for groups of devices with similar purposes and/or sensitivity can help prevent an entire network of devices from being compromised if a threat actor is able to gain unauthorized access to one device or network. For example, keep IoT devices on one network and mobile devices on another network.
• Place the router in the center of your home. This placement provides the best coverage for the devices in your home, while also making it less likely that the signal will be strong enough for someone outside your home to connect to your network.

 Resources

• NIST Publication NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks
• NIST Special Publication (SP) 800-183, Networks of Things
• US Department of Homeland Security, Strategic Principles for Securing the Internet of Things (IoT), Version 1.0
• CISA Internet of Things (IoT) Tip Sheet
• Groupe Spéciale Mobile Association (GSMA), IoT Security Guidelines
• McKinsey Quarterly, The Internet of Things, March 2010
• NJCCIC Cybersecurity 101: Best Practices webpage