Some of the largest cyber attacks in recent memory have employed an army of connected home devices to achieve their goals. This co-opting of connected home devices owned by consumers around the world occurs without those consumers’ knowledge or consent. For example, in mid-September, several thousand devices—home routers, Internet-connected video cameras, and digital video recorders—were used to create a “botnet” that collectively pounded the security researcher Brian Krebs’ website with 620 gigabits of data per second. At the time, the attack was thought to be the largest in history. An even larger army was assembled a few days later for an attack on the French hosting provider OVH that peaked at over one terabit of traffic per second. These distributed denial-of-service (DDoS) attacks were successful because they exploited basic security vulnerabilities in connected home devices, such as default passwords used to access administrator settings.
News of data breaches breaks so frequently that attacks may seem inevitable. But a recent study by the Online Trust Alliance (OTA) says that this is not so. The study found that 100 percent of recently-reported security vulnerabilities affecting Internet of Things (IoT) devices could be prevented if manufacturers and developers had implemented basic privacy and security protections. The OTA, which is an industry association comprised of over 100 organizations, has already created a number of resources to help developers of IoT devices implement privacy and security “by design.” Most prominent among these is the IoT Trust Framework, a set of thirty privacy, security and sustainability guidelines for wearable technologies and connected home devices.
This week, the OTA turned its attention from manufacturers to consumers by releasing a checklist of basic steps that consumers can take to improve the privacy and security “hygiene” of their connected home and wearable devices. Just as smoke detectors require periodic battery changes, the OTA warns that IoT devices also benefit from regular checkups.
OTA recommends that consumers consider the following steps:
- Inventory all devices within your home and workplace that are connected to the Internet and network. Router reports can help determine what devices are connected to your network. Disable unknown and unused devices.
- Contact your Internet Service Provider (ISP) to update routers and modems to the latest security standards. Change your router service set identifier (SSID) to a name which does not identify you, your family or the device.
- Check that contact information for all of your devices are up-to-date including an email address regularly used to receive security updates and related notifications.
- Confirm devices and their mobile applications are set for automatic updating to help maximize protection. Review their sites for the latest firmware patches.
- Review all passwords creating unique passwords and user names for administrative accounts and avoid using the same password for multiple devices. Delete guest codes no longer used. Where possible implement multi-factor authentication to reduce the risk of your accounts being taken over. Such protection helps verify who is trying to access your account—not just someone with your password.
- Review the privacy policies and practices of your devices, including data collection and sharing with third parties. Your settings can be inadvertently changed during updates. Reset as appropriate to reflect your preferences.
- Review devices’ warranty and support policies. If they are no longer supported with patches and updates, disable the device’s connectivity or discontinue usage of the device.
- Before discarding, returning or selling any device, remove any personal data and reset it to factory settings. Disable the associated online account and delete data.
- Review privacy settings on your mobile phone(s) including location tracking, cookies, contact sharing, bluetooth, microphone and other settings. Set all your device and applications to prompt you before turning on and sharing and data.
- Back up your files including personal documents and photographs to storage devices that are not permanently connected to the Internet.
In addition to its Security & Privacy Checklist, OTA has also recently released a pair of similar checklists to help consumers understand how to maximize both privacy and security when purchasing and setting up “smart home” technologies and connected devices.
Since reducing cyber incidents engenders trust in consumer products, businesses may find it useful to point consumers to these helpful resources.