The emergence of Internet of Things (IoT) devices has been a boon for hobbyists and Makers, with an array of components now available for easy integration into our lives. However, as we put more faith in these connected devices to give us visibility over our homes, families, and personal property, we must take extra care to protect these networks and maintain the confidentiality, integrity, and availability of the data that flows through them. Quickly wiring an ESP8266 — or one of many available Arduino or Raspberry Pi shields — to the internet will get your project online, but could also expose you to vulnerabilities.
Here are four areas to consider for safety when integrating an IoT device into your system. Using all of these mechanisms together is called defense-in-depth. Should an attack defeat one mechanism, the other solutions may provide the necessary protections to maintain system availability.
Home Network Security
- Require strong passwords. These are incredibly effective against an attack.
- Ensure that connected devices support newer security protocols like WPA2. Some older protection schemes such as WEP are known to have major security flaws.
- Minimize the number of open ports to the rest of the internet. Disable unnecessary services like Telnet and UPnP.
- Just like the access points, routers, or servers that they connect to, IoT devices should not be physically exposed to unauthorized access.
IoT Device Security
- Update to the latest firmware or version as soon as they are made available.
- Change default passwords on devices.
- Ensure that the web interface provides account lockout against an attacker attempting to “brute force” the system.
Encrypt. Encrypt. Encrypt.
IoT devices have the potential to transmit a lot of sensitive data like passwords, personal information, photos, and videos. Encryption between devices helps protect the data while in transit across networks. Use well-known standards that have been vetted by the security community.
The Cloud and Privacy
- Does the data need to be stored elsewhere? If not, disable cloud storage. If so, use smart practices such as two-factor authentication and strong passwords.
- Carefully review the type and amount of data that’s collected by the devices. The information collected may be excessive or not protected properly. Opt out of data collection or enable anonymized collection where available.
- Understand that many “free” services are often paid for with user data.