The easy way to secure you IoT devices and systems
Internet of Things (IoT) devices are constantly growing in popularity and use, from smart thermostats to connected security cameras. While these devices provide useful features and convenience for users, they also pose a significant risk to the security of your network if not properly configured.
What is an IoT device?
IoT devices are physical devices that are connected to the internet and can collect, exchange, and use data. In essence, most of these run a basic Linux based operating system, and function as small computers on your network. Once connected to the network they receive an IP address and become a discoverable device on your network, the same network that your computers are connected to.
Unfortunately, as you may know, in order to ensure that everything is running securely, those devices must be updated, maintained, and even segmented on your network. We will get to that later. Let’s look at the most basic steps you can take with your IoT device as soon as you get them out of the box.
What are security concerns right out of the box?
The most frequent security problem is the default username and passwords that most of these devices have, which no one ever bothers to change.
Lets assume you just added additional cameras to your security system. Unless you change this camera’s default credentials, any computers on the network can access this camera using default manufacturer’s admin credentials. I am sure you can see how much of a physical security risk this can pose.
While onboarding a new client, we ran into another good example of how impactful IoT devices can be on physical security. This client had an EAC (Electronic Access Control) on just about every door in their building. Every staff member had their individual access code to enter the warehouse, certain rooms, and areas of the building.
It was possible to see the activities of every staff member, control who can access, all from a single portal on your browser. Great for security you might think… Well oddly enough, you would be wrong.
The admin interface that allowed the admin to change, and add or remove building access to an employee, was accessible through both the internal network, AND externally. To make matters worse the password was never changed from the default of Admin and 123456. (MIND BLOWN IMOJI)
Not only could the EAC be accessed by anyone on the internet using a public IP address and port, but the default password was never changed. This is literarily equivalent to handing the keys to the building to anyone with basic Google knowledge that can lookup default login info for this EAC.
Maintenance
Unfortunately, just like with computers, they must be updated with firmware and software updates on a regular basis to keep them secure. I know its not practical to update all of your IoT devices every Tuesday at 10am. So here is a better solution!
You must first identify all of the IoT devices on your network. I recommend downloading Advanced IP Scanner, running a network scan, and making a note of the device, IP, and how to login to it in a spreadsheet. Then, set yourself a schedule to check this device at least once a month, or every few months, to see whether there are any new updates available. Sticking to a schedule is the only practical method of ensuring nothing goes un-noticed. Unless you have a managed services or managed security services provider that does this on a regular basis already.
Now, of course, there are special occasions that require immediate attention. This was the case when a major vulnerability with QNAP NAS devices were discovered where storage devices were getting hit with deadbolt ransomware due to a newly discovered vulnerability. You can read about it here
QNAP issued an immediate notice to the owners to update their devices and AlphaCIS made sure that all of our client’s devices where updated right away.
Network Segmentation
I am convinced toasters will soon be connected to your WiFi. With the number of devices from multiple vendors, keeping up with all of it can be difficult when it comes to security. You hear this one got hacked, there was a breach there every day. It’s unlikely that your toaster, like your thermostat or your robotic vacuuming cleaner, need to use the same network resources as your computers and servers. What I mean is that it’s always a good idea to separate your network and put IoT devices on a separate subnet from the others. This may be achieved using VNet or using a separate physical WiFi router to connect all of the IoT devices to.
Whichever way you decide to separate and segment your work, just know it will be a huge step forward in protecting your business from a threat.
If your business needs help security your network both traditional and IoT devices give AlphaCIS a call (678) 619-1218. As part of our expanding services, we monitor IoT devices to ensure they are kept up with, properly configured as to not pose a security threat to your entire organization. If you already have a Managed Services Provider (MSP) be sure to ask them how they are keeping your IoT devices secured on the network.
Dmitriy Teplinskiy
I have worked in the IT industry for 15+ years. During this time I have consulted clients in accounting and finance, manufacturing, automotive and boating, retail and everything in between. My background is in Networking and Cybersecurity