Security in the internet of things (IoT)

The internet of things (IoT) refers to objects and devices which are connected to a network such as the internet and which use the network to communicate with each other or make information available. Such an object may, for instance, be a webcam, network-attached storage (NAS), or a modem. But also intelligent light switches, refrigerators, or smart TVs connected to an internal network or the internet via a network interface may be included.

Effects and Risks 

More or less intelligent devices like these are increasingly connected to the internet. This increases not only the number of communication participants in the internet, but also the number of vulnerable devices that can be misused by hackers. These devices are then used to send spam emails, for instance, or to carry out attacks on other internet users (e.g. DDoS).

Devices like these must be protected (using individual passwords, restricted access) and also regularly updated. Updates should be performed as soon as possible when critical vulnerabilities in the software of these devices are discovered and can be exploited by hackers. But unlike in the case of desktop computers or smartphones, hardly anyone remembers that these devices need software updates as well.

An even greater potential threat is posed by objects and devices that can be accessed via the internet using standard access data (username and password). These devices can in principle be found by anyone (such as using a port scan or a search engine like Shodan).

Measures

Preventive measures

To prevent your intelligent light switch, webcam, or other IoT device from being misused by hackers, MELANI recommends the following preventive measures:

  • Before you buy network-enabled objects or devices or install them in your home, find out about their IT security precautions:
    • How often are software updates issued?
    • Are they downloaded automatically, or does the user have to do something? How does the user find out that an update is available?
    • Can the device be accessed via the internet?
    • What protection mechanisms does the device have to prevent unauthorized access? Does the device's operating system support access via a secure connection like SSH or HTTPS?
    • Can the default access data provided by the manufacturer (username/password) be changed?
       
  • Make sure that the device cannot be accessed via the internet unless necessary for its operation (e.g. use a firewall or separate network not connected to the internet).

  • If the object has to be reachable via the internet (e.g. because information is provided to it via the internet), we recommend the following steps:
    • Set up a separate network segment for your networked devices that does not have access to your personal data (computer, NAS, etc.). The object can then communicate only with the internet but not with your internal network. Many modern routers now support this approach. This helps you ensure that your internal network cannot be attacked via one of your IoT devices. 
    • Restrict access from the internet to the device, for instance by using an IP address filter (which permits only certain IP addresses to access the device) or by using a Geo-IP filter (which restricts access to the device to Swiss IP addresses, for example). Your IoT device will probably not have this capability, but the upstream router should.
    • Use only protocols that permit an encrypted connection, such as SSH and HTTPS. Never use text-based protocols like Telnet or HTTP.
    • Do not use any standard ports (e.g. 23 – Telnet, 443 – HTTPS, etc.), because otherwise your device can be found using a simple port scan. Instead, use a high port (e.g. 2323 instead of 23, 43443 instead of 443, etc.) to make it more  difficult to find the device
       
  • Do not use default access data (username, password). These standard settings are widely known and can be used or guessed easily by hackers. Change the username and password of the object immediately when you set it up.

  • Use a complex password that no one can guess (at least 12 characters, including numbers, letters, and special characters).

  • Whenever possible, use a second factor for authentication (e.g. SMS, Google Authenticator, hardware token, etc.).

  • If you no longer need a device, disconnect it from the network or internet.

  • Deactivate the UPnP function (Universal Plug and Play) of your router. Ask your internet service provider or router supplier about configuration options as well as about functional limitations and any other unintended consequences this measure may trigger.
     

Measures after a successful attack

If you have already fallen victim to an attack on a networked device, we recommend performing a factory reset. After the factory reset, we recommend observing and implementing the points described under "Preventive measures" in order to prevent being compromised again.

The instruction manual or website of the device manufacturer explains how to perform a factory reset.

 

Last modification 21.11.2016

Top of page

https://www.melani.admin.ch/content/melani/en/home/themen/internet_of_things.html