This month, National Cyber Security Awareness Month (NCSAM) is observed for its 17th year in a row. To celebrate NCSAM, the Cybersecurity & Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and the FBI have produced cybersecurity tip sheets, publications, and presentations to help citizens protect their homes and businesses. Each week of NCSAM focuses on one of four overarching themes, which are listed by NIST and accompanied by useful resources: “If You Connect It, Protect It,” “Securing Devices at Home and Work,” “Securing Internet-Connected Devices in Healthcare,” and “The Future of Connected Devices.” However, each week is connected to one particular theme: the Internet of Things (IoT). The IoT is the network of computerized objects that are connected to the internet. Examples include smart devices such as toys, household appliances, cars, and even insulin pumps.
The IoT was a popular topic before everyone’s reliance on internet-connected devices increased as a result of the COVID-19 lockdowns. In addition to being discussed by researchers, the IoT is a topic explored by mainstream media, including science-fiction and horror movies. The 2019 reboot of the horror movie Child’s Play reimagined the evil doll as a smart toy that can hack IoT devices to attack people. Although this exact scenario is pure fiction, the idea that a malicious actor could use the IoT to threaten a family is grounded in reality. In a previous blog article posted in January, we mentioned a story reported by Joseph Cox and Samantha Cole of VICE about a family whose Amazon Ring camera was compromised. The hacker used the device’s speakers to talk to a child and play “Tiptoe Through the Tulips,” a song by Tiny Tim that was used in the Insidious horror franchise. Last December, Kate Cox of Ars Technica reported that the hack was part of a series of cyberattacks against various households that owned Ring devices. Last February, Kate Cox reported that Two-Factor Authentication (2FA) was made mandatory for all Ring devices following the incidents. 2FA requires a method of authentication other than a password, such as a one-time code received on a mobile phone.
Businesses can also be threatened by insecure IoT devices. If IoT devices are connected to a company’s network and their IT department is unaware of them, these devices are referred to as Shadow IoT devices. If a Shadow IoT device is vulnerable, the entire network is vulnerable. A study conducted last month by the cybersecurity firm Palo Alto Networks found that 89% of surveyed IT-decision makers reported an increase in IoT devices connected to their networks in the past year, but that 57% of IoT devices are “vulnerable to attacks of medium to high severity.” In their report, Palo Alto Networks provided five tips for IoT security: employing device discovery to find all connected devices, applying network segmentation, changing default passwords, continuing to update device firmware, and actively monitoring devices.
Cisco explains that network segmentation “divides a computer network into smaller parts.” By keeping non-essential IoT devices on a network separate from the one that all the important desktops, laptops, and servers are connected to, the threat of smart devices being used as gateways to access sensitive information is mitigated. One way to segment a network is to use a Virtual LAN (VLAN), which Cisco defines as “a group of devices on one or more LANs that are configured to communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments.” In addition to securing networks, it is also important to make secure passwords. Cybercriminals can compromise IoT devices by guessing the passwords of the accounts used to access them. Accounts with weak passwords are easy to compromise, but sometimes cybercriminals may use brute-force attacks, in which they rapidly cycle through multiple passwords until the right guess unlocks the account. Back in December, VICE’s Motherboard team discovered posts on crime forums about tools for compromising Ring accounts via brute-force attacks and concluded that the Ring camera horror story likely started with one such attack. Changing default and weak passwords used to access IoT devices is a critical security measure, and brute-force attacks can be further mitigated by using 2FA.
In the United States, October is the month of Halloween, a holiday associated with scary costumes, decorations, and movies. In horror movies, unsuspecting homes can be invaded by ghosts and monsters. In real life, cybercriminals can invade smart homes to terrify and steal from the innocent. Although the IoT provides many benefits during the pandemic, it also makes consumers vulnerable to new threats. Connecting a new device to your network is like installing a new exterior door to your house: without security, it will be a new way for malicious individuals to enter your home. This month, we encourage everyone to be cyber smart when connecting devices to networks.