When notifying some manufacturers about vulnerabilities in their devices, we often get a response along the lines of “Version X.YZ of the firmware has a ton of new features, we’ll add it then when it comes out in 8 months!”. That means for 8 months, that vulnerability remains unpatched. Very few people install patches when they come out, and even less people update firmware on IoT devices, so those vulnerabilities can potentially be available for years!
We’ve seen the Mirai Botnet, and now the Reaper Botnet, which are made almost exclusively of IoT devices cause all kinds of chaos with massive attacks. To prevent your IoT devices from taking down crucial internet infrastructure, here are some tips that don’t rely on the manufacturer following a Secure Development Cycle:
1. Update the firmware
Sure, the firmware updates are few and far between, but at least you’ll have the latest security patches as a baseline. Be sure to check for updates periodically, and enable the automatic update option if available.
2. Check the default settings
Sometimes features that you may not want or need are enabled by default. Take some time to poke through those and figure out which features can be disabled.
3. Change the passwords!
Many IoT devices have default administrator passwords and management interfaces that can be accessed remotely. CHANGE THOSE! Default passwords are how the Mirai botnet was constructed. Change the password to a complex one that only you know. If you forget it, no worries, most devices have a physical reset button that sets it back to default credentials.
4. Avoid connecting them directly to the internet
IoT devices are not designed with security in mind. Most routers have basic firewalls built in that allow you to control traffic to devices. Close ports that aren’t necessary and prevent devices from being accessed outside your network.
5. Don’t skimp on devices
With most products, there is usually a cheaper version that fulfills the same task. For non-tech products, your personal information isn’t at risk, but there is a definite correlation between the devices at the lower end of the price range and the number of security vulnerabilities found within those devices’ firmware. Smaller companies making cheaper versions of products may also have smaller development teams for firmware upkeep and product support.