IC3 Releases Warning on IoT Security
The IC3 (Internet Crime Complaint Center), a division of the FBI, released a public service announcement on September 11, 2015, regarding IoT security. The announcement was generally focused on the consumer end — namely password strength, awareness of vulnerabilities and exploits, and other practical notes for using Internet-connected items in the household and elsewhere. IC3 notes in its press release that consumers should be aware of possible exploits and keep their devices secure with unique, complex passwords, but is this enough?
Secure and Complex Passwords
Internet connected household items, such a refrigerators and lighting modules, as well as HVAC systems and hydro monitors, can all be exploited through security flaws and weak passwords, so it is important for the consumer to be diligent about passwords and other personal security measures. Unfortunately, many people either choose simple passwords that can be found easily online, or identifiable information such as the names of relatives or pets. Passwords should always be secured and difficult to crack (using lots of numbers and capital/lowercase letters), but this is especially the case with IoT devices that deal with exchanging sensitive information and data in the household.
Among the most important IoT devices to keep secured are closed-circuit security cameras, doors that can be opened remotely (such as garage doors), and household medical devices that are connected to the Internet. Though the Internet of Things is certainly going to become commonplace in the coming years, consumers should consider what purpose an IoT device may serve, and if it is really necessary to have a particular device connected to the Internet.
Obvious though it may seem, the IC3 recommends changing all default passwords, setting up firewalls, and updating the devices' software whenever possible. However, there must also be responsibility on the part of the manufacturers of these devices. As these integrated systems and devices become more commonplace in the home, in infrastructure, and for medical purposes, cybercriminals will become savvier with how these devices interact and exchange information with each other. The design of these devices must be secure out-of-the-box as well as on the part of the consumer.
Though the consumer should absolutely take the proper precautions to making their devices secure, and should be aware of possible exploits and vulnerabilities, there must certainly be diligence on the side of the manufacturers and designers of these devices. Exploits in UPnP (Universal Plug and Play) protocol, in particular, are crucial for manufacturers to consider when designing security frameworks for these devices. Since UPnP protocols self-configure when attached to an IP address, devices that operate on this protocol are open to vulnerabilities, so the design of this hardware and software needs to be secure with regards to these protocols.
One of the ground-breaking qualities of IoT technology is its ability to automatically connect between devices and exchange data to enact a particular role. In doing this, security is an essential factor in both the design and use of these devices, and cannot be overlooked. Automatic data exchange like this can open itself up to harmful vulnerabilities that can compromise both personal safety and personal information.