HOW-TO: Secure IoT devices

This is a simple guide on how to secure IoT devices. Make your network a safe home for its new smart members brought by Santa or DHL…

You’ve just ordered an IP-enabled camera for your DIY home CCTV and while googling for its manual or additional reviews your friend shares with you news like this:

Brian Krebs IoT DDoS

…or like this…

DDoS from hacked IoT devices

…or this…

rob-graham-mirai-1

rob-graham-mirai-2

rob-graham-mirai-3

…or this:

onvif-1 onvif-2

 

You start to panic and wonder if your new innocent toy would have a fate of thousands of other IoT devices which got hijacked and recruited for DDoS Death Squad. But don’t loose your mind over it, you can still do a lot in order to prevent this to happen. We are providing here a list of security measures that you can apply but always be alert as there is NO device which is absolutely safe if connected to Internet. Just think of your neighbour shouting commands to your Amazon Echo through the window while you’re not around…Joke* aside, let’s list safety advices.

Secure IoT devices by following these tips

#1 Buy devices of reputable manufacturers.

Well known brands have lots in stake so they follow standards and industry recommendations. Their products go through rigorous tests and will less likely be susceptible to cyber attacks.

Ken Munro of Pen Tester Partners says that “…even better if they had vulnerabilities discovered in past, they learned the lesson and would maximize efforts flaw not to happen again.”

#2 Buy latest versions.

The most recent versions of products contain all necessary security patches and fixes for any vulnerabilities found in previous versions.

#3 Change default credentials.

The first thing you have to do with your new IoT device (camera, digital video recorder, router or whatever else…) is to change default, factory-set credentials. Hackers maintain, expand and share lists of default credentials for all available pieces of hardware. They make their malware trying to access victim devices by trying all combinations of known default username and password. If device still uses factory settings, one of the attempts will work…

mirai-source-code-factory-credentials

In October 2016 Mirai botnet infected hundreds of thousands IoT devices across 164 countries and performed DDoS attack which brought down many websites including PayPal, Twitter, Netflix and Reddit. Its source code contains a list of hardcoded factory credentials of many IoT devices.

Before connecting new device to home network, make sure the router is not connected to the Internet. This will isolate your network from the outside world preventing infections to take place before you even manage to open device’s web interface. Apart from changing credentials for web interface, check whether device uses any other access channel, like SSH or Telnet and, if possible, change their login credentials as well.

Whenever you use browser to access device’s management dashboard make sure you do it in incognito mode and via HTTPS. Once finished, log out.

#4 Use strong passwords.

If you replace default password with one which is short and contains only letters and numbers, you will not prevent but only postpone a moment when attacker breaks the password.

#5 Change passwords frequently.

…or from time to time at least. Never assume attacker hasn’t cracked them yet!

#6 Store passwords in a safe place.

Not on a sticker on the back of a device. Not on a paper sitting next to it. Not in a plain text in unencrypted file on your laptop or smartphone. Use password manager software (like e.g. KeePass).

#7 All paths to your passwords have to be password-protected.

Pick a long, hard to crack master password for password manager. The same applies for a computer you are running that software on. And double check that all doors are locked and windows are closed when you are leaving the house. Remember: system is as secure as its weakest link!

system-weakest-link

#8 Don’t share passwords.

At least not with people you don’t trust.

#9 Don’t use the same password twice.

As soon as hackers get hold of one password, they try it out on all services. If they have the key of your gate, you don’t want them automatically to have the key of your house.

#10 Apply product’s updates and patches as soon as they are released.

If vendor is providing software updates, don’t allow hackers to take advantage of potentially buggy and vulnerable software running on your device. Subscribe to vendor’s newsletter or RSS feed and follow them on Twitter so you don’t miss release announcements. If possible, turn on auto-update feature or often manually check for the updates.

IP camera

Let’s minimize chances that someone else looks through these lenses
Image credit: Flickr

#11 Keep firmware, OS and encryption software up to date.

Again, all layers have to be running the latest software versions. If OS has vulnerability allowing attackers to get hold of your encrypted password database, chances are higher they’ll get to your data.

#12 Download files from SSL-enabled websites and verify their checksum.

HTTPS in your browser’s address bar means you’re downloading stuff from a genuine website (provided you haven’t misspelled website’s domain name…). Check if downloadables have their hash values (like MD5) published. Use some of tools for calculating file’s hash and verify if it’s the same as the published one.

#13 Disable UPnP on your router.

UPnP (Universal Plug’n’Play) is a device discovery and communication protocol. If enabled on router, UPnP allows any application from local network to open an inbound port without any authentication. Doors are wide opened for hackers! Take this under your control, disable UPnP on your router and define port forwarding rules manually and only if necessary. You can define which public IP address or range can access your router.

#14 Disable Remote Management on router.

This feature opens port for accessing router’s administration web page remotely, from other network. You can select that access can be granted for specific IP address, or range only, but there is also a warm welcome to hackers – an option to allow access from any IP address. This feature is meant to allow remote router configuration but if enabled, chances are that some black hat will configure router for you.

#15 Filter access by MAC addresses.

Note MAC address of each IoT device you want in your home network and allow only these MAC addresses to connect to the router. You can use MAC address filtering: use router’s firewall to block MACs of your devices accessing the Internet.

#16 Use VPN.

If you need to access your IoT devices remotely, block them accessing the Internet and then use Virtual Private Network to access your local network.

#17 Make your Wi-Fi router as obscure as possible.

Use unique, non-default SSID (Wi-Fi network name), disable router broadcasting it, use strong encryption – WPA2-PSK (AES).

 

Last words…

This list is not complete but if you take these actions you will make attackers give up quicker and look elsewhere for more vulnerable networks.


*) This is actually not a joke! Some voice-controlled speakers are quite sensitive and can detect human voice even if it’s coming from the outside of the building. There were reports about neighbors being able to unlock “smart door locks” from the outside by simply shouting “Hey Siri, unlock the front door!”.

Leave a Reply