IoT Security: Managing The Internet of Things in the Office

Because the “T” doesn’t just stand for “things” it can stand for “threats” too

The Internet of Things (IoT) is amazing. There are speakers you can ask questions to and get answers. Lights you can control with your phone. Security cameras hackers can use to steal files from your company servers…

Wait, what?

While IoT is amazing, helpful, and mind-blowing with all we can do with them, there are risks that require IoT security at work (and home). Using a security camera to hack into a company’s files sounds like something out of a spy novel, but that very scenario has been demonstrated as feasible.

DEMO: Uncovering IoT Vulnerabilities in a CCTV Camera

With planning, and a specific scenario was created to demonstrate how a few unpatched devices can make your entire network vulnerable, but no special skills, tools, or hardware was needed. Any experienced hacker has everything they need to pull it off.

As we bring smart speakers and internet-connected thermostats into the office, we have to look at the risks they bring along and how to mitigate them. We’re not saying toss out all IoT devices and disconnect everything from the internet, but we think you should be careful and know what you need to do so your company isn’t hacked because you’re streaming music in your office.

We’ve looked at the risks and have a few tips that will help keep your company safe while still using these amazing devices. These tips apply to devices you might have at home too, the technologies and the risks are the same, even if a device is made for homes and not offices.

Don’t put everything on the same network

An easy IoT security step for protecting your office systems is to put IoT devices on your guest network and not your main internal network. Most companies have a guest wifi network so people visiting the office can connect to the internet, but can’t access your office computers, servers, or printers. Think of the camera, thermostat, or speaker as a guest in the office. Putting that barrier between your main network with all your data and an IoT device is a simple and effective way to prevent a lot of potential intrusions.

A security camera hack showed that even if you put cameras and other IoT devices on their own network, you can still be at risk if you don’t take the next crucial step—keep your systems patched and updated.

Don’t skip IoT security updates

As we talked about in our better small business security post, keeping all your devices, computers, servers, and routers up to date is crucial for preventing a large number of hacks. The security camera hack depended on a router and camera that weren’t up to date with all their security updates. If the router or camera had been up to date, the hack wouldn’t have worked as demonstrated.

No updates coming? You should likely not buy that IoT device.

When a hacker is trying to break into a network the first thing they try is exploiting bugs and security holes in smartphones, laptops, printers, and other hardware. If they find an easy way in, they’ll take it. Don’t make it easy for hackers, keep your systems updated. When prompted, always update systems.

Apple, Google, Amazon, and other major manufacturers try to update systems as quickly as possible with security patches, and often updates are installed automatically for you. It never hurts, though, to open the app you use to control the IoT device and have it check for updates (usually you’ll find it in the settings). It’s always better to be safe than sorry.

Change the default username and password

In 2016 the Mirai botnet took down websites around the world in a Distributed Denial of Service (DDoS) attack against the DNS provider Dyn. Twitter, Netflix, Amazon, Apple, and Spotify were just some of the sites affected, the whole list reads like a who’s who of the internet. But how did the hackers pull  off an attack at a previously unimaginable scale?

Default usernames and passwords on IoT devices.

The attack was enabled by exploiting security cameras and DVRs made by Hangzhou Xoingmai that all used the same username and password to login and control the devices. Once hackers connected to the devices over the internet they installed code to make the devices execute their DDoS attack. That was it. If you’re wondering how long it takes hackers to find and try to exploit a device like a camera or DVR—it takes minutes. Andrew McGill of The Atlantic set up a fake system that looked like an internet-connected toaster with security researchers to see just how long it would take for it to be found and hacked. McGill and his team thought it would take days or weeks or maybe even never.

They couldn’t have been more wrong.

The first attempt came within 41 minutes, then another within 15 minutes, and another 15 minutes later. The speed at which the attacks happened amazed—and frightened—everyone. The aftermath of the Mirai botnet, and experiments like this one, pushed the State of California to pass a law requiring all IoT devices sold there to have reasonable security features enabled by default. The law comes into effect January 2020 and we hope that these requirements trickle down to all devices not just ones sold in California.

California Legislates IoT Security

Does that device really have to be on the Internet?

Reading about the IoT security problems above, you might have wondered “why would anyone need a toaster connected to the internet.” That’s a good question. In fact, it’s a question you should ask yourself whenever you connect a device at work or home.

“Do I really need to access this over the internet or accessing it just from the office enough?”

It’s very convenient to be able to control lights, speakers, even your security system, from your phone. What you have to ask yourself is if you need to be able to do that when you’re not in the office or home. If you can turn off access from outside your network, you might consider doing it. From the Dyn/Mirai attack above to remotely controlling cars to attacking cardiac devices, there are lots of examples of hackers looking for devices on the internet to compromise—even if it’s just for fun. Being able to monitor your house while at work or getting security alerts from work over the weekend are helpful and give people peace of mind, but maybe keeping your toaster off the internet is a good thing.

IoT is cool, but you need IoT security on your office

Managing IoT devices is just like any other kind of technology. There are risks and many of them can be avoided with a few simple steps. We don’t have to lock all our technology down so it isn’t fun or useful, we only need to know the risks, how to manage them, and then take necessary steps to protect ourselves. We love our IoT devices. They’re convenient. They’re fun. And they’re helpful. So don’t toss your device, just make sure that you take proper IoT security measures.