Security chiefs join the chorus of concern about shoddy IoT devices

Britain’s new National Cyber Security Centre (NCSC, opened last month) has joined with the National Crime Agency in the UK to warn people about connected Internet of Things devices.

The risks may already be apparent to readers of Naked Security, with articles on safety equipment, dolls in our news in brief section and a great deal else.

However, if it’s drawing the issue to wider national and indeed international audiences then it’s no bad thing. The specific warning this time is about ransomware on watches, TVs and indeed anything users might pay to “liberate” once criminals have shut it down.

The report, available on this page, highlights a number of stark facts. The NCSC has been running for only three months, and during that time the UK has been hit by 188 high-level attacks in which the organisation had to become involved. It’s well known that the cyber-threat is increasing but the report draws attention to the British government’s commitment to forming an alliance between government, industry and law enforcement.

It takes readers back to basics and notes that there is no longer any need for technical expertise when someone is creating a threat, also to increasing collaboration from cybercriminals who are learning from each other more than ever before.

Specifically in terms of ransomware and IoT, it points to new developments such as malware that downloads and encrypts files and then deletes the originals. “The threat of ransomware attack means that business should consider further mitigation and preventative solutions to combat it,” the report says. “These include maintaining appropriate backups and defensive systems that automatically sandbox email attachments.”

Chet Wisniewski, principal research scientist at the office of the CTO for Sophos (and  of course a key Naked Security contributor), says ransomware was common in 2016 and will only increase in 2017. He notes the increasing sophistication of the attacks:

Due to the profitable nature of ransomware, cyber-criminals are likely to look at evolving into any internet-connected devices which hold data of value to their victims. Over the past couple of years Sophos has examined a large number of IoT devices including CCTV cameras, baby monitors, kettles, wireless routers and printers.

The way to avoid a problem is first to look at the basics. So many people still leave their devices’ passwords on the default setting, which isn’t going to protect anything for long. Old versions of software are intrinsically more vulnerable than unpatched newer ones, but people don’t always update.

Says Wisniewski:

At present your chances of finding a poorly secured IoT device are higher than finding one with a reasonable level of protection. That doesn’t mean they are all bad and some vendors are working hard to improve their security and work with researchers, but many of these products are still in the stage of focusing on fast features over any concern for resilience.

He and Sophos offer the following checklist if you’re concerned about an IoT gadget:

1. Many smart things support Wi-Fi so that you don’t have to plug them into your smartphone or computer every time you want to use them. If your home Wi-Fi router allows you to create separate guest networks to keep untrusted visitors off your regular network, make a special guest network for your “things” and connect them there.
2. Many devices, such as video cameras, try to talk to your router to open up inbound holes so they can accept connections from outside. This makes it easier to access them from the internet, but it also exposes your devices to the rest of the world. Turn off Universal Plug and Play (UPnP) on your router, and on your IoT devices if possible, to reduce exposure. Don’t assume that “no one will notice” when you hook up your device for the first time. There are specialized search engines that go out of their way to find online devices, whether you wanted them to be found or not.
3. Keep the firmware up to date on all of your IoT devices – patching is just as important as it is on your PC. It can be time consuming to figure out whether updates are available, but why not make a habit of checking the manufacturer’s website twice a year? Treat it like changing your smoke detector batteries: a small price to pay for safety and security.
4. Choose passwords carefully and write them down if needed. Complexity is important, but so is uniqueness. Many IoT devices have been found to have bugs that let attackers trick them into leaking security information, such as giving away your Wi-Fi password. Remember: one device, one password.
5. Favour devices that can work without the cloud. IoT “things” that rely on a cloud service are often less secure than those you can control entirely from within your home. Read the packaging carefully to determine whether internet access is needed to make the device work.
6. Don’t connect devices to the network if you don’t have to. If all you want from your TV is to watch broadcast television, you don’t need to connect it to the network. Eliminate unnecessary internet connections when possible.
7. Don’t take your IoT devices to work or connect them to your employer’s network without permission from IT. Insecure devices could be used by attackers as a foothold into the organisation, and used to assist with data stealing and illicit surveillance. You could put your company and your job at risk
8. It is a good idea to do a quick Google search to see if the “thing” has been attacked already. Often it is good to choose a brand you think will be around for a year or more so you have someone to ask for updates if something bad occurs.

Nobody designs a device deliberately to be insecure, so don’t leave it that way if you can possibly avoid it.