January 17, 2018

Most readers here have likely heard or read various prognostications about the impending doom from the proliferation of poorly-secured “Internet of Things” or IoT devices. Loosely defined as any gadget or gizmo that connects to the Internet but which most consumers probably wouldn’t begin to know how to secure, IoT encompasses everything from security cameras, routers and digital video recorders to printers, wearable devices and “smart” lightbulbs.

Throughout 2016 and 2017, attacks from massive botnets made up entirely of hacked IoT devices had many experts warning of a dire outlook for Internet security. But the future of IoT doesn’t have to be so bleak. Here’s a primer on minimizing the chances that your IoT things become a security liability for you or for the Internet at large.

-Rule #1: Avoid connecting your devices directly to the Internet — either without a firewall or in front it, by poking holes in your firewall so you can access them remotely. Putting your devices in front of your firewall is generally a bad idea because many IoT products were simply not designed with security in mind and making these things accessible over the public Internet could invite attackers into your network. If you have a router, chances are it also comes with a built-in firewall. Keep your IoT devices behind the firewall as best you can.

-Rule #2: If you can, change the thing’s default credentials to a complex password that only you will know and can remember. And if you do happen to forget the password, it’s not the end of the world: Most devices have a recessed reset switch that can be used to restore to the thing to its factory-default settings (and credentials). Here’s some advice on picking better ones.

I say “if you can,” at the beginning of Rule #2 because very often IoT devices — particularly security cameras and DVRs — are so poorly designed from a security perspective that even changing the default password to the thing’s built-in Web interface does nothing to prevent the things from being reachable and vulnerable once connected to the Internet.

Also, many of these devices are found to have hidden, undocumented “backdoor” accounts that attackers can use to remotely control the devices. That’s why Rule #1 is so important.

-Rule #3: Update the firmware. Hardware vendors sometimes make available security updates for the software that powers their consumer devices (known as “firmware). It’s a good idea to visit the vendor’s Web site and check for any firmware updates before putting your IoT things to use, and to check back periodically for any new updates.

-Rule #4: Check the defaults, and make sure features you may not want or need like UPnP (Universal Plug and Play — which can easily poke holes in your firewall without you knowing it) — are disabled.

Want to know if something has poked a hole in your router’s firewall? Censys has a decent scanner that may give you clues about any cracks in your firewall. Browse to whatismyipaddress.com, then cut and paste the resulting address into the text box at Censys.io, select “IPv4 hosts” from the drop-down menu, and hit “search.”

If that sounds too complicated (or if your ISP’s addresses are on Censys’s blacklist) check out Steve Gibson‘s Shield’s Up page, which features a point-and-click tool that can give you information about which network doorways or “ports” may be open or exposed on your network. A quick Internet search on exposed port number(s) can often yield useful results indicating which of your devices may have poked a hole.

If you run antivirus software on your computer, consider upgrading to a “network security” or “Internet security” version of these products, which ship with more full-featured software firewalls that can make it easier to block traffic going into and out of specific ports.

Alternatively, Glasswire is a useful tool that offers a full-featured firewall as well as the ability to tell which of your applications and devices are using the most bandwidth on your network. Glasswire recently came in handy to help me determine which application was using gigabytes worth of bandwidth each day (it turned out to be a version of Amazon Music’s software client that had a glitchy updater).

-Rule #5: Avoid IoT devices that advertise Peer-to-Peer (P2P) capabilities built-in. P2P IoT devices are notoriously difficult to secure, and research has repeatedly shown that they can be reachable even through a firewall remotely over the Internet because they’re configured to continuously find ways to connect to a global, shared network so that people can access them remotely. For examples of this, see previous stories here, including This is Why People Fear the Internet of Things, and Researchers Find Fresh Fodder for IoT Attack Cannons.

-Rule #6: Consider the cost. Bear in mind that when it comes to IoT devices, cheaper usually is not better. There is no direct correlation between price and security, but history has shown the devices that tend to be toward the lower end of the price ranges for their class tend to have the most vulnerabilities and backdoors, with the least amount of vendor upkeep or support.

In the wake of last month’s guilty pleas by several individuals who created Mirai — one of the biggest IoT malware threats ever — the U.S. Justice Department released a series of tips on securing IoT devices.

One final note: I realize that the people who probably need to be reading these tips the most likely won’t ever know they need to care enough to act on them. But at least by taking proactive steps, you can reduce the likelihood that your IoT things will contribute to the global IoT security problem.

60 thoughts on “Some Basic Rules for Securing Your IoT Stuff

  1. Harlan Barney

    I have avoided wireless connections and as soon as my daughter and son-in-law leave, I turn off the wireless connection to my intranet. No wireless is secure wireless.

    My house is wired and everything is cable connected.

    Any future IoT devices will be set up carefully or returned accompanied by a nastygram.

      1. WEP security

        With WEP 🙂 security. 20 years on the field and still used. Respect

        1. ZN

          Yeah, don’t use WEP. It’s laughably broken at this point. WPA2 is the bare minimum that you should be using. While you’re in there changing to WPA2, disable WPS too.

  2. weebles

    I dont understand any of this, but realize I need to. Can you please point me to a primer/starter that a person without any tech or programming knowledge can follow step by step? I see links here, but that even feels like jumping into the middle. THanks.

    1. Phil

      a website for IT novices is ed2go.com — they have 6 week courses offered at various times during the year covering many subject especially in the IT arena. This is a paid site and prices are reasonable. Also ask the Internet the same question you asked here —- review the responses —- use the Internet as a giant reference encyclopedia; check the following websites twit.tv, grc.com, howtogeek.com, komando.com; digitalcitizen.com and krebsonsecurity.com

  3. Masood Rahman

    Thank you for the tips. Manufacturers need to follow some sort of standard and part of it should be to force users to change default password.

    1. zn

      Part of the issue is that a LOT of these devices are designed and manufactured in foreign countries that really, really do not care about our laws. We *could* regulate imports but can you imagine the policy nightmare? What happens when a security breach is revealed in an otherwise accepted product? Do we turn them back? Stick on a post it note warning?

  4. I.T. Guy

    Only way to be totally IoT safe is… don’t use it. Any of it.

    1. Cappy

      Your response is similar to my software QA friend who insisted on paper checks to be mailed to him and not direct-deposited. If you’re that paranoid, then you shouldn’t be using wireless networks, either. Or having direct-deposit of your paycheck. Or using a computer and posting comments to online articles.

  5. oil

    what? people still use botnets? long time i had the toughts to purache botnet,but i have no idea what to do with botnet.
    what i know that people bopught botnet system for bank transfers.
    its true that good botnet cost about 5k-.?

  6. Retired Fed Infosec Guru

    IoT, the “S” is for security!

    Wait? Did you say there’s no “S” in IoT? There’s no security either!

  7. william wood

    Excellent recommendations and for those reading this who would like to consider a new technology developed at Oxford University, let us know.

Comments are closed.