We live in a world where an increasing number of items in our lives are connected to the internet. We depend upon them to make our life easier as well as to provide vital tasks, and consequently these devices often hold sensitive information about us and our homes.
It is no longer just computers, laptops, tablets and mobile phones that connect to the internet, objects such printers, speakers, the TV, security cameras and lights also connect, not forgetting to mention the smart salt dispenser, hairbrush, flip flops or bin. These ‘connected’ devices are collectively known as the ‘internet of things’ (IoT) and they enable you, the user, to control their functions from an app on your phone or tablet from anywhere that you have an internet connection. In the case of a smart TV or speaker, the device can access resources from the internet such as streaming services.
If you can access your smart device online, there is the possibility that other people can also access it. This raises security and privacy questions.
If a hacker can access your IoT device from the internet, they might be able to steal your personal information, access your cameras or microphones to watch or interact with you without your consent, or hijack your devices for malicious uses. A criminal wanting to access your network might be able to find a way in through one of your IoT devices which has a poor security set up. This would be the equivalent of locking your front door but leaving the window wide open.
The UK Government is planning to introduce new legislation that addresses the security of consumer IoT devices. These new laws will help protect us all from threats from the internet.
The new laws are expected to cover three main security features which are aligned with the top three requirements of the European Technical Standard for IoT Security.
Consumer IoT devices will not be allowed to have universal default passwords.
This rule will immediately make it harder for criminals to hack into connected devices.
Consumer IoT devices will have to have a vulnerability disclosure policy
This means that any faults that are discovered in the software (which could be used by a criminal to access the device) after the product is in use, can be addressed in an organised way.
Consumer IoT devices will need to disclose how long they will receive software updates for.
This means that software updates are created and released to maintain the security of the device throughout its declared lifespan.
Thanks to the proposed new UK laws, consumer IoT devices should soon have basic security measures in place as a minimum. Until that happens, it is especially important that you check you have configured your device securely.
It’s worth noting that if you have purchased the very cheapest product you can find, it may not have any security features or even any manufacturer’s guide included. Consider that for a little bit more money, you may be able to buy a product with important security features built in.
How to set up your IoT device securely
When you first unpack your new IoT device, look for the manufacturers documentation and check the default settings.
Change the default password.
Some devices come with a password that looks generic (such as 11111 or admin) so it is vital that you change it to a secure password that is unique to this device.
Enable Two Factor Authentication.
You should also check to see if you can set up two-factor authentication (2FA) on your device. This is a process where you are required to give a code (often sent as a text message to your mobile phone or by using an authenticator app) in addition to a password. This ensures that other people cannot access your device from the internet with just your password.
Install software updates or turn on automatic update
It is important to keep your device updated which enables the manufacturer to address any faults that have been discovered in the software. All software updates should be installed as soon as possible, and to make that easier, it is recommended that you switch on automatic updates if available.
Turn off features that you do not need.
To limit the options that hackers have to find ways to attack your device, turn off or disable any features that you do not need and use on your device.
Check your data privacy settings.
Consider carefully how much of your personal information you share with the device. If there are privacy options and functions, use them to limit how your data is stored or shared.
Does the manufacturer have a vulnerability policy?
Go onto the product website (which should be detailed within the documentation) and check whether the manufacturer has a vulnerability policy. If they do, this is a good sign that the manufacturer is committed to good security.
This week, IASME launches a brand new certification scheme for consumer internet connected devices. The Internet of Things (IoT) Security Assured scheme is a vital tool for manufacturers to demonstrate the security of their internet-connected devices and to show they are compliant with best-practice security. When the IoT Security Assured scheme badge is displayed on a device it will reassure the end user that their device has the most important security features included.
The IoT Security Assured scheme is aligned with the ETSI technical standard for IoT security, EN 303 645, and with the proposed UK IoT security legislation and guidance. It is also mapped to the IoTSF Security Compliance Framework. Customers will be able to look out for the scheme badge displayed on IoT devices as reassurance of improved security, before making a purchase decision.