FBI IoT Alert—But Have They Got It Right?

On August 2^nd, 2018, the US Federal Bureau of Investigation (FBI) issued the following Public Service Announcement:
“Cyber Actors Use Internet of Things Devices as Proxies for Anonymity and Pursuit of Malicious Cyber Activities”

This announcement was one in a series of FBI alerts issued over the past three years that focused on the potential risks posed by the Internet of Things (IoT) to domestic American households.

IoT devices can be used as access points by cybercriminals, or “cyber actors” in their pursuit of criminal online behavior. IoT, or “smart” devices communicate with the Internet and can send and receive digital data. These smart devices include home automation systems such as lighting or air conditioning, security systems, medical devices such as heart pacemakers, smart appliances such as fridges and vacuum cleaners, and even garage door openers. The way that cybercriminals gain access to domestic networks is by accessing unprotected IP addresses associated with any IoT device.

Cyber actors are ideally looking for devices that possess weak authentication. Unfortunately, this includes most IoT devices out there, so the world of IoT devices is considered a fertile feeding ground for these online criminals. Weak authentication is evident in IoT devices where owners fail to upgrade firmware or install security patches making brute-force attacks by cybercriminals a piece of cake. This is particularly so where the users of IoT devices fail to change default user names and passwords.

However, the real challenge faced by organizations like the FBI and other homeland security agencies is due to the lack of consumer awareness of IoT device security issues and best practice.

Watch Scully from the X-Files get trapped in her own smart-home.

The FBI has suggested several measures that home IoT users can deploy including the regular rebooting of IoT devices, changing of credentials, disabling of port forwarding, and the isolation of IoT devices from central home networks.

The FBI’s warnings may be well-placed, however the solutions that they propose fall short of the mark. Most home Internet users do not possess the security savvy required to perform even the most basic of protective measures. Surveys of IoT owners indicate that a significant majority of them rarely even change user names and passwords for their devices. And with the number of those devices set to increase exponentially, security vulnerabilities are set to skyrocket.

Helpfully, the FBI does offer a hotline for IoT inquiries, but with the projected proliferation of IoT devices in the next few years, it is unreasonable to think that the FBI has the required manpower to meet the inquiry demand. FBI “Beware” notices are fine, and reassuring, but they may not be the best solution.

A more effective “catch-all” response to the issue of IoT device vulnerability is to move the locus of responsibility away from the IoT device owner and onto the communications and Internet service providers who are in the ideal position to provide IoT security. Consumers can then relax in the knowledge that their home networks are protected “at source”, and that any cyberattack can be mitigated using the latest, cutting-edge cybersecurity defense. The alternatives are simple: manage the growing technological challenge of your IoT devices yourself, or put the full responsibility of your home network security into the experienced hands of your ISP for a couple of dollars a month. What would you rather do?

With a track record built on proven success with the world’s largest deployed network-based security service, Allot’s Home Secure provides security for home IoT, smart appliances, and home offices.