Recent breaches in Americans smart home systems have raised the level of concern with IoT devices.
IoT devices are popping up in homes all across the world. Securing these devices is becoming a bigger issue as consumers are starting to realize just easily a hacker can invade their home. TechRepublic’s Karen Roby spoke with an IoT security expert about the things people need to keep in mind before installing IoT devices inside their homes. The following is an edited transcript of their interview.
Karen Roby: Just recently a Milwaukee couple reported hackers broke into their smart home devices and raise the thermostat and blasted vulgar music. Their story, it’s not the only one we’ve heard, of course. There’s plenty of others. People are buying these smart home devices right and left, so, unfortunately, this isn’t a problem that’s going away anytime soon.
Joel Vincent: It’s only going to get worse. We’re in really the early days of IoT, believe it or not, and one of the aspects that we look at when you talk about IoT is, you look at the home and the number of things that are being purchased and installed and quickly ramping up. It really does kind of harken back to earlier days of the internet coming into enterprises and enterprises had to deal with wireless and security and had an IT Department and a Chief Security Officer, a Chief Information Security Officer, to do all those things. They had to adopt a philosophy of security as a process, not as a product. The interesting thing about IoT and the way that’s been growing, particularly in the home and for some enterprises is, home folks are starting to need to start to think about their home cybersecurity in the same way that an enterprise used to think about it, because you’re having 10, 20, 30, 50 IoT devices in the house. It’s not unlike trying to protect 30, 50 employees doing internet activity.
There are a lot of aspects to it. IoT in the home tends to be two-part, very much like an enterprise. There’ll be a Cloud back end where you log in and do things, and then there’s the actual device and what it’s doing in your home and a bit of edge computing that it’s doing in your home. There are standard practices that make the most sense, but people do have to internalize those and start to think of security in the home as a process, as opposed to a product.
SEE: Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)
In the Cloud backend, it’s probably been said a thousand times, but it’s worth repeating, the difficult passwords to hack, that’s always key. If the service has two factor authentication where you kind of put your password and then it’ll text you a code or something to that effect, that’s always a best practice and then do all that, keeping in mind that these things you’re installing in your house, if you’re accessing them through the web, you’re creating another backdoor to your house and you need to lock it down.
Then the device itself, when you look at the device, there’s the installation process. Either you do it yourself or someone you trust to do it because physical access to the box is a problem even for enterprises deploying these. We’ve built a whole business securing edge devices for edge IoT devices for enterprises because when they’re remote locations, someone else is doing the installation. There’s a lot that has to be done for an enterprise to lock those down. So, make sure that whoever’s installing it is very trusted, and you know them, or you do it yourself.
Then the process part comes in. If you install something that has updates and automatic updating should be enabled. If it doesn’t have automatic updating, you should always listen to the advice of the app or the website where it says, “You have one of your devices needs an update.” You’re going to have to install it, because at the end of the day, the way enterprises look at it, and the way home users should look at it is, those devices are just trying to stay ahead of the next new hack. Therefore, you should regularly make sure everything’s up to date. Inevitably a new hack will come out, and then the new patch will fix it.
The services that can automate that are fantastic, and it makes it easier, but it’s definitely worth it, even the most automated one, sometimes need you to reboot your devices and things like that.
Karen Roby: Do you feel as consumers we go to the store, Best Buy, wherever we buy our products from or online and we just automatically think, “Well, if it’s being sold, then it’s safe then to install it in my house.” But don’t you think that there’s somewhat of a shift, a mind shift, that we need to have in terms of, “No, it really is still up to us to keep ourselves safe?”
Joel Vincent: Yes, it’s the last part of what you said is exactly right. It’s still up to us. You want to make sure that you have the best locks, the best keys to your house. You’re almost taking, you know, once you’ve done those things and you’re updating, you’re trying to avoid being, for hackers, the path of least resistance. One of the best security things that you might be able to do that you’re doing unintentionally is, just security by obscurity, which basically means there are so many of these things out there that you might get lucky and someone might not hack you. But the way to avoid that also, is if you’re employing best practices, if you’re changing your passwords, if you’re updating your devices, you look less attractive.
It’s not as easy to get in for when a hacker actually does somehow gain access to your house. If it’s too much trouble, more likely than not, they’re not going to turn up the heat of the thermostat and play music, if it’s to take them days and days to crack your password and multiple supercomputers to get into your house. That’s why it’s kind of good to maintain these practices.
There’s always a possibility that you get hacked, but just like buying a new system of locks to your house or somebody, some house, some contractor quit and took a key with them, you’d change all the locks in the house. I mean these are things that we do anyway. Just because you bought it in Best Buy doesn’t mean, and it’s cybersecurity as opposed to a physical key, it doesn’t mean you shouldn’t do basically what you would do for your normal home security.
Karen Roby: Before we let you go, we’re seeing IoT devices just popping up really in every industry. This security on an enterprise level, too, is just becoming more and more important.
Joel Vincent: IoT is changing the thought process within the enterprise, and it’s one of the things that we do at ZEDEDA is, we’ve looked at the idea of enterprise security and cyber, excuse me, cybersecurity. There are several aspects that change when you bring IoT in.
First of all, the amount of data that’s being generated by these IoT devices is way out at the edge, and there’s a lot of forecasts that that data is, there’s going to be more data out at the edge than in the data center itself. The difference for security is, the data center has physically four walls and a firewall, basically has a perimeter. The devices and the IoT at the edge of an enterprise, protecting that is a lot different because there’s no physical perimeter. People have physical access to the boxes. People can inject malware, spoof an address, and inject malware on the way down. We’ve had to create a whole system for the early adopters, if you will, industrials power companies, that takes into account that security has fundamentally changed if you don’t have all your computing devices inside a data center and everything is a remote device.
That’s what IoT is changing. It’s turned what used to be, “Hey, get everything up into the data center or into the Cloud and secure it and deal with it there,” to, “How do we deal with the fact there’s more data outside of the enterprise data center than there is inside the enterprise data center?” It’s spawning whole new solutions and whole new ways to secure and manage all that data that’s getting lumped. You might hear the term, “edge computing” come out. That’s where we play. If you’re doing something with edge computing, we come in there and help you deal with visibility control of all that edge.
It’s changing every aspect of life, not unlike the changes we saw when we went from no internet to everybody’s constantly connected to the internet. In the 90s, I didn’t think about doing any banking on the internet, but today I take it for granted. The shift that IoT is creating across the board from home to enterprise is exactly the same type of tectonic shift. It’s changing how we have to deliver and protect everything.