Shopping for Secure IoT Devices

There are about as many internet-connected devices in the world as people, and over the past few years this population of connected devices has come close to inflicting real harm on the 7 billion humans they share the world with.

Internet of things (IoT) devices leak sensitive data that can be used to attack other parts of peoples’ lives, such as their finances or social media accounts. They have been hacked in pranks, and the IoT has even been weaponized against nations in ways that could put human lives at risk.

Yet after all this, the average shopper has no reliable way to simply evaluate smart devices’ out-of-the-box resilience to hacks and other cyberattacks. This must change.

This article will aim to identify the simple signs that a device may or may not be well-secured, plus the few strategies available to secure devices in the home. Finally, we’ll discuss changes coming in 2019 that may remedy the dearth of information about how pieces of an Earth-sized network are secured.

First: Software vs. Gimmicks

There’s an adage that “software ate the world,” and while it’s true that many companies now provide some sort of digital solution, it is decidedly not true that “every company is a software company.”

As you’re shopping for connected devices this year, don’t assume that smaller companies or even established businesses in niche markets know what they’re doing when it comes to security. If you’re thinking, “I can’t believe they connected this toothbrush/teddy bear/salt shaker to the internet,” it may be time to dig a little deeper into how those devices are secured.

Read the user manual or download the app to make sure the software you’re buying with your device forces you to set a strong password for your user account. Understand what data devices gather about you from the start, and why it’s needed for the device to work.

You can’t control the data-handling practices of companies you buy IoT devices from, but you can take steps to protect your own data in their servers. Using strong passwords, limiting the amount of contextual data you provide and being careful about connecting to other services can help you avoid damage from data leaks.

Another good rule of thumb is if it’s cheap, it may not be well-designed from a security perspective. Good code and security expertise come at a high price, and manufacturers concerned about security will bake the costs of developing software to maintain security into the sale price of a device.

You can search the web for update availability and history to see if companies you purchase a device from regularly update supporting software and device firmware (code controlling the basic operation of a device, which also needs occasional patching). If the app for a newer IoT device shows a higher version number (say, 3.2.0), that may be a signal that the company takes security seriously.

After You Buy

If you’ve just purchased a new smart device or you’re looking at the ones around your home with unease, there are ways to strengthen security measures built into these devices.

First, set a strong password. I know I said this before, but anyone working in digital security can tell you that the average password’s strength is laughable at best. Setting a strong, alphanumeric password—or better yet, using a password generator and manager—is a quick way to improve your chances of avoiding a hack.

Next, learn how your device connects to the internet, not just your home network. Some devices use universal plug-and-play, or UPnP, to simplify the process of finding and joining a network. Unfortunately, UPnP works by opening a tunnel through the firewall your home router is equipped with, which means UPnP can also be abused to give anyone on the internet a path into your private home network.

Finally, understand the security compromises you’ll make while actually using your device. Video cameras that let you stream feeds live to your phone similarly tunnel through your firewall. Other devices, like smart thermostats, may let you share data with a network of other users, again opening ports into your home network that could be exploited.

Locking down these vulnerabilities isn’t trivial, but it doesn’t take a trained expert, either. In many cases, setting strong passwords (yes, again) and changing default device IDs and admin permissions will significantly improve the security of your devices and home network.

A New Framework for IoT Security

Most smart home device users (and there are a lot of them) have for years simply plugged and played because they didn’t have information about how poorly secured the IoT actually is and wouldn’t expect a device purchase to expose them to risk. Unfortunately, the past two years of botnet attacks and security research have made consumers aware of the risks, but many still don’t have the information they need to make smarter choices.

Thankfully, change is on the horizon and new IoT devices now can be tested in accordance with security guidelines from the CTIA, an industry group that sets standards for wireless communications. Devices that meet one of three levels of compliance with security best practices will receive a CTIA Cybersecurity Certification.

To summarize the three levels, devices that meet the first threshold for certification must require strong passwords and have a plan for regular updates to fix any flaws.

Level 2 takes strong passwords a step further with multi-factor authentication and also requires devices encrypt the data they send out. Level 2 devices also must use secure boot processes that prevent hackers from dropping code into devices for malicious purposes.

The third level builds on the first two levels and requires devices to be assigned a unique ID that’s then used for encryption functions, so hackers can’t log into apps or networks by acting like trusted devices. It also requires hardware and code to be tamper-evident, so it’s clear when someone is trying to hack a device. Finally, Level 3 requires data in storage to be encrypted so that even if hackers did crack a database, there’d be nothing of value for them to find.

These measures should raise the bar of IoT security at least to a minimum standard, and consumers who worry about device security (most of us) can help enforce that standard by asking retailers and manufacturers to display devices’ CTIA certificates.

Today, digging into spec sheets and comparison charts on reseller websites is unlikely to reveal any sense of the security measures baked into devices. Even seeing a simple certificate of level 1, 2 or 3 compliance with CTIA guidelines will significantly improve consumers’ ability to evaluate device security for themselves. CTIA requirements will also help guide consumers toward safe password and usage practices that can prevent the facepalm-worthy hacks that have shocked researchers and device users over the past several years.

Yeshwant Chauhan

Avatar photo

Yeshwant Chauhan

Yeshwant Chauhan is SVP Mobile Services and IoT at Gemalto. With more than 15 years of experience in wireless technology, Yesh manages Gemalto’s North American businesses in Mobile Services and IoT and focuses on the ever-evolving needs of US and Canadian customers for SIMs, eSIM, IoT, AOTA and subscription management platforms.

yeshwant-chauhan has 1 posts and counting.See all posts by yeshwant-chauhan

Secure Coding Practices