We are regularly warned of significant security risks [1] by the use of IoT technology in our homes. But who of us can resist (OK. OK. I know at least one of them in my household) the lure of some of these useful/cool and more and more affordable devices?
The risks of security gaps associated with these devices are well discussed in the media [2] and I have lumped them into two categories:
- Rouge Device: the device, if hacked, can be used to conduct external attacks from your home network against other systems (ex: DDoS) or internally against your personal devices on your network (ex: ransomware, loss of PII).
- Data Exposure: the data that the devices collect and generate can be accessed by bad actors and used against you (ex: home security cameras).
This article addresses the first risk. The challenge for most households is that we have been sensitized to the need to secure our personal devices (laptops, tablets, phones) but we do not have the same guidelines or helpful advice for the IoT devices we bring into our home. Also, these devices are not standardized in their security features/options/configurations. This is because the devices cover a wide spectrum of device configuration management from fairly basic, like an electric bulb, to complex systems like environmental controls with multiple sensors.
We often acquire these devices in an ad hoc manner through real needs (ex: baby cams) or as interesting accessories or toys (ex: programable mood lighting). For example, I just recently installed a video camera with a cloud app outside my home to try to determine how a squirrel is getting into my house – I class this as a real need, but it is fun to finally identify the perpetrator!
So, this is the scenario I am addressing in this article because I think it applies to a large majority of the folks using these consumer-based devices. We have a lot of devices on our home network that we need to worry about. I have spent time trying to come up with some guidelines for non-technical folks on how to reduce the risks of your collection of IoT devices.
I am starting at a basic level and hope to add more guidelines as the market for consumer WiFi routers and like-devices develop to address the need to segregate these devices from your personal systems. Market leaders in this space are working on projects for frameworks to standardize security [3] but it will take some time to get adoption by the majority of IoT device manufacturers.
This first article introduces an infographic that attempts to illustrate how we can improve our risk exposure through the use of guest networks. I have categorized network configurations by types so they are easier to describe and discuss.
The message is pretty simple – get the IoT devices onto the guest network [4] [5]. The considerations for this guideline are, however, are not simple and result in a primitive infographic with a lot of small font content to explain the benefits and limitations of this recommendation. (My excuse for the primitive infographic is that my objective is to provide a one-pager to be used stand-alone.)
You can download the infographic below.
I imagine a lot of readers may consider this first guideline to be simplistic – but, I hope in a positive sense, in that it is easily understood in order to consider its recommendation as a first step to reduce the risks of these ubiquitous devices.
References used for this article:
- https://www.fbi.gov/contact-us/field-offices/portland/news/press-releases/tech-tuesday-internet-of-things-iot
- https://www.nist.gov/blogs/taking-measure/growing-internet-things-safe-and-responsible-member-your-household
- https://www.connectedhomeip.com
- https://www.lifewire.com/guest-network-for-home-tutorial-818204
- https://www.pcmag.com/how-to/10-ways-to-set-up-your-wi-fi-for-guests
