Why should we be worried about IoT? Consider the car infotainment vulnerability for the MirrorLink Infotainment software. Never heard of MirrorLink? It’s a standard tool for connecting smartphones to that in-vehicle infotainment system on your dash. “Tuners” can activate MirrorLink and provide drivers the capability to use apps from their smartphone such as the touchscreen, speakers, and in-car microphone. All good as it provides drivers accessibility and functionality. However, it also opens up access to third-party hackers who can mess with the safety functionality of the vehicle such as the anti-lock braking system. (see: Researchers Uncover Car Infotainment Vulnerability http://www.darkreading.com/vulnerabilities—threats/researchers-uncover-car-infotainment-vulnerability/d/d-id/1326807?)
Or, how about the Wired video where they showed how hackers remotely killed a Jeep on the highway?
The power of IoT is that most of these things are very simple; they just work and connect and give you information. The problem is that security is not a priority for most companies creating things that are internet enabled. In some cases there are default passwords built in which can’t be changed and which are widely available on the internet. To top it off, they often can’t be updated when vulnerabilities are identified.
What can you do about it, especially when more and more items are IoT enabled?
- Connect only what you need to connect. If it doesn’t need to be on your wi-fi network, don’t add it.
- Have a separate wi-fi network for your IoT devices. If your router will allow a “guest” access without touching your primary computer, use that or have a wi-fi access point just for your IoT stuff.
- Update as patches come available. If you can patch your devices, do.
- Change the password to something stronger. If you can change the password, do change it to a strong passphrase. Can’t remember the passphrases for all these devices? Use a password manager to securely store them all.
- Use any privacy options. If the device has the ability to set privacy options, use that or disable any information sharing altogether.
- Replace it when better security comes along. If you can’t update it and it is causing a security vulnerability, replace it with one that has been secured and hopefully will allow you to change the settings.
(see SANS’ OUCH! Newsletter https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201605_en.pdf )
Check out the Internet of Things Tip Card (from DHS)