Smart homes might be right around the corner, but are you and your neighbors really ready for them? While research from firms like Gartner project demand for IoT devices to skyrocket over the next few years, the security implications of the IoT aren’t so rosy. Current online threats will become much closer to home as more people use IoT devices to “smarten” up their houses, and new security challenges are sure to emerge.
This image was posted on F-Secure Labs’ blog by Mika Stahlberg, F-Secure’s Director of Strategic Threat Research. His post provides an excellent breakdown of how smart homes are networked together, and the different types of security that need to be considered.
And while many people might not have networked light bulbs or locks just yet, nearly everyone is already using a router.
IoT devices are designed to communicate directly with one another using communication protocols like Zigbee, so smart homes that have numerous devices networked together are essentially blanketed by these signals. And yes, hackers can use these signals to do all kinds of nasty things. However, the range of these signals is quite limited, so anybody attempting to use them to invade your home will need to be really close – basically lurking outside your window.
Routers, on the other hand, are the gateways that connect IoT devices to the Internet. Any IoT device that has an online component, such as cloud computing, will be using data that passes through the router.
Routers can be used to launch a number of attacks on unsuspecting people, and they make tempting targets because they give hackers access to all of the devices that connect to them. And while many people recognize that their phones, tablets, laptops, and desktops have security needs, fewer people are aware that routers and other devices also need to be protected. As IoT devices integrate people’s homes into online services, the potential for having a man-in-the-middle in your living room increases.
Having a hacker in your living room is a discomforting prospect, just like any kind of home invasion. That’s why people have locks on their doors. Every smart home should keep in mind that routers are like digital doors, and so you want to take some basic security precautions to make sure you can keep that door closed and locked when needed. Here’s three basic security tips to locking down your router to prevent hackers from inviting themselves into your smart home.
Routers, and many IoT devices, rely on passwords as a security measure. Passwords prevent people from wantonly accessing whatever device they come across, and are a staple of account security. Many routers come configured with a factory default password, so people can plug the device in, power it up, and then start surfing right away. Unfortunately, many people don’t give their router, or its password, a second thought once it’s working.
While many of these default passwords are strong and therefore more crack-resistant than something like “password” or “1234”, they’re not always unique, which means the same password can be used for an entire model or type of router. Many hackers know this, and default passwords are often published online.
The point is that using default passwords is a bad idea.
F-Secure Security Advisor Sean Sullivan says that many attacks leverage remote access privileges and weak passwords on routers in their attacks, so locking down routers is vital to securing your smart home. There’s some great advice on choosing and managing passwords online, but Sullivan says because router passwords are stored directly on the device, choosing a personal pass-phrase is usually sufficient (as opposed to a random string of characters like “uyg/&%/Tuhiu1229”).
The technical ins-and-outs of changing your password will depend on the manufacturer and model of your router, but Netgear, Linksys, and D-Link (three of the largest router manufacturers) all offer online tutorials to walk you through the process, and there are several generic guides (such as this one) that you can use a general reference.
Updating software is vital to keeping devices protected, and this includes devices like routers. But updating routers isn’t always easy because they require “firmware” updates. Firmware is software that is so deeply embedded in computers and other types of technology that they tend to be inaccessible to end users. Outdated firmware can contain exploitable vulnerabilities, which is something that attackers can use to hack into routers.
But updating firmware isn’t as easy as updating apps on your PC or phone. It’s something many people either don’t know how to do, or they simply aren’t aware when it’s required. Most routers can’t be updated automatically, or even directly online. People typically have to download the update to their PC first and then use that to install it on the router.
There are some generic guides online that can give you an overview on how it works, but how to update and when depends on the manufacturer, so you should consult their website for specific instructions.
It might also be worth simply buying a new router if yours is quite old and hasn’t been updated regularly. Manufacturers will often stop providing updates after a few years, even though the devices can last for a decade. Plus, many newer routers offer additional capabilities, and Sullivan admits that some of the newer features (such as guest settings) not only offer security benefits, but also allow them to work better with the diverse range of IoT devices used in smart homes.
Another security issue with routers has to do with the way they’re configured to work with your computers and other devices. Attacks that change people’s Internet setting are generally referred to as DNS Hijacks, and typically work by changing your Internet configuration to point your traffic to rogue DNS servers. Doing this lets attackers manipulate Internet traffic in a variety of ways, and this can include things like tricking you into visiting malicious websites that steal personal data (such as account passwords).
Fortunately, you can take measures to protect yourselves from these attacks. There are online protection packages that allow you to check your network to make sure your Internet configuration is safe, and F-Secure has an on-demand tool called Router Checker that lets you check your router to make sure its handling your Internet traffic safely.
You should also disable the remote access privileges on your router, or at least the Universal Plug and Play (UPnP) and web management options. Doing so will prevent people from using the web to access your router and change the settings without your knowledge.
[Photo by k rupp | Flickr]
F-Secure invites our fellows to share their expertise and insights. For more posts by Fennel, click…
April 18, 2018
There are some advantages to being around "forever," as Mikko Hypponen, F-Secure's Chief Research Officer,…
March 10, 2018