The proliferation of connected devices is staggering, with growth of more than 2.5-fold projected by 2020 and Internet of Things (IoT) devices the fastest growing in the category. As the use of these connected devices in our everyday lives continues to increase, it’s important that we all understand the potential security risks associated with our connected lives and how to better protect ourselves and our families against these potential threats.
For a consumer, the home router is the heart of a connected household — the meeting point of your child’s smartwatch, your tablet and your new connected fridge. As the gateway to the home network, the router is the “in” by which a hacker can intercept email, observe online activity such as banking transactions and adjust settings to connected devices. While someone changing your connected coffee pot to brew at a new time is a nuisance, turning off your home security system midday when no one is home is a whole other matter. The router, when not protected, becomes an easy entry point for malware.
To further understand the concerns and perceptions everyday Americans have about IoT and commonly used connected devices, ESET recently conducted a survey in collaboration with the National Cyber Security Alliance (NCSA) in support of National Cyber Security Awareness Month.
That survey shows that consumers are aware of the potential security risk associated with IoT devices. In fact, 88 percent of respondents have thought about the potential for hacking associated with IoT devices. As a result, 50 percent of consumers indicated that concerns about the cybersecurity of an IoT device have discouraged them from purchasing one. Furthermore, more than 40 percent of respondents are “not confident at all” that IoT devices are safe and secure and protect personal information.
When we specifically asked about the home router, it became even clearer that while more devices continue to be connected, the majority of people are not taking basic security precautions. Almost 22 percent of respondents had four to seven devices connected to their home router, and a frightening 14 percent had no idea how many devices were connected. Meanwhile, 29 percent indicated they have not changed their home router password from its default setting, and almost 15 percent didn’t know if they had. By taking some basic steps — like changing the default factory password — you can quickly mitigate many of the risks tied to these common security concerns. We will touch more on that in a bit.
Beyond the home router, what are some of the IoT devices that consumers are using and concerned about? A growing number of American households feature connected appliances, toys and other home systems. In fact, 24 percent of consumers report using an app to control a connected device, such as an appliance or thermostat, in their home. These devices also include connected door locks, home security systems, TVs and baby monitors. Wearables and connected medical devices also fall into this category. Overall, this represents an increase from last year, when only 20 percent of users reported having these types of connected devices.
While many consumers understand that there are risks inherent with using internet-connected devices, few people know what steps can be taken to ensure they and their families are protected. Below are five easy steps ESET recommends you take to lower the risk of your data being stolen or accessed through connected devices or malware being dropped onto your home network:
1. Change the default password on your home router: As this survey demonstrated, not many consumers change the default password that comes standard on their home routers. This means that a hacker can easily gain access to their router by guessing the password that comes default on common routers. Changing this password to a new one – a sentence that is at least 12 characters long – ensures that even if you share the password or it’s accessed by some other means, you keep your router more secure.
2. Ensure software for all devices and connected systems is up to date (including router firmware): Manufacturers and software providers frequently issue product updates throughout the year. While some of these changes include new features that are available, or adjustments to an interface, they are often security related as well. Keeping software up to date on all connected devices ensures you have the latest protection the manufacturer/developer offers, which is your first defense against cyber threats.Most consumers don’t think to update router firmware, the code and data that allow routers to function. Adding to that, routers have long shelf lives, which means that by the time your router is replaced, its software is often very out of date. To determine whether your router’s firmware is up to date, identify your router’s model number and visit the manufacturer’s site to see whether there is a newer version available to download.
3. Confirm whether your home security software features router protection: Home security software is one important layer in protecting your personal data and information. Some home security software now features router protection, which allows you to easily view and manage the devices that access your network. If a device that you don’t recognize is accessing your network, you can elect to block it. You can also add a master list of authorized devices and then set it so no other device will be able to join the network. (On a router, a device is identified by something called a MAC address, which can be found in its network settings.)
4. Ensure you understand what data is being collected and stored by your connected devices: As most consumers know, the data we generate and information we transact online with is extremely valuable if it ends up in the wrong hands. Because of this, it’s critical that you are aware of what data your connected devices collects, how it is stored and how it is shared. While it would cause a red flag if a connected fridge asked to access something such as your home security system, you might not think twice about letting your connected heating system store your weekly data log. However, a criminal that gains access to that log because it’s not securely stored can tell when the home is not heated or the heat is turned down, signifying your home is vacant. Further, if that data log is shared with other vendors for sales leads, you lose track of who has the information. Familiarizing yourself with the data and privacy policies of your connected devices is critical to ensure you understand the type and quantity of data that is being collected and how it is being stored.
5. Limit device/app privileges: As with apps accessed on a mobile device, you should look to limit the access and privileges your connected devices have daily. Should your toaster be able to access your contact list? Will the fridge ever need to communicate with your front door lock? Ensure devices and apps don’t have free rein to communicate with entities they don’t need to so that even if one device is breached, it does not mean all your connected devices can be accessed.
Connected devices present many benefits — the chance to communicate more easily with coworkers, family and friends across the country, the power to manage home systems from your smartphone and the ability to monitor a sick child’s temperature and breathing while he or she sleeps. As with any technological advancement, these benefits come with some risks — in this case online and mobile security concerns. By following the above tips and keeping an eye on how devices interact with your home network, however, you can safely enjoy these advancements while ensuring your home is secure.
As I mentioned previously, this week the NCSA and ESET joined forces to promote National Cyber Security Awareness Month and educate consumers on securing the online, mobile and physical environments that are a part of our continuously connected lives. Learn more about the survey here.
About the Author
Andrew Lee is the CEO of ESET North America. Mr. Lee brings to ESET a unique blend of corporate and security expertise. Having served as chief research officer at ESET from 2004 to 2008, Lee was responsible for building ESET’s reputation as a world-class research organization. Prior to accepting the role of CEO at ESET in January of 2011, Lee served as chief technology officer for K7 Computing, an antivirus software and internet security company, where he was responsible for all aspects of K7’s technology, leading acquisitions and bringing new products to the market. More about Mr. Lee here.