Over the past two months we’ve had the pleasure of interviewing an international panel of cyber security experts for our podcast on IoT threats. Ethical hackers, security vendors, PhD students and professors shared their thoughts on the promises of IoT as well as the challenges of an expanding surface attack. At the end of each interview, we asked the interviewees to provide cyber hygiene heuristics that the average smart home user can implement. These practices won’t make you immune against cyber threats if the NSA or FSB want to hack your computer though –they will overcome all these simple procedures to attack you, but they will mitigate attacks by less skilled actors. What follows is a summary of the top four answers, we hope you enjoy the tips and also implement them!

 

Research: Is the device manufacturer a reliable company? Do they take security seriously? Can the device be found via services like Shodan?
Avoid connecting insecure devices into your network, and always ask yourself: what would be the worst-case scenario if this device gets hacked? And act accordingly.

Segment: If a smart thing in your network is compromised, an attacker can access your entire network and cause harm; avoid this by connecting your IoT devices to a different network (vLAN) than the rest of the computers. This may require some extra hard work if you do not have the Netonomy agent installed, or a security-focused router, but it is not impossible to do and this DIY guide can help.

Password: This should be obvious, yet default passwords are the leading cause of hacked IoT devices, because default credentials are basically publicly available information. So if you haven’t yet changed some default credentials, reset your device and immediately proceed to create a strong and original password.

Update: Pretty self-explanatory. Check periodically if any of your connected devices have a firmware update or security patch release, failure to do so will leave you exposed to known vulnerabilities which can be exploited by malicious actors.

Beyond these basic cyber hygiene practices, it becomes really hard for consumers without technical knowledge to do much more, which is kind of scary. Fortunately, Netonomy’s solution is being implemented across different routers and ISPs to seamlessly bring security and control to home networks, which is the best hope we have to deal with IoT cyber threats today.

 

Tune in every Wednesday for more cyber hygiene tips you can implement in your network!

 

 

The WiFi router is the most important device at home, connecting all the computers and gadgets in our home network to the Internet, keeping us online. Yet few of us care about the router, only remembering its existence when we need to restart it, because we only appreciate something when we lose it. This lack of care for the router, the main gateway to your network, makes it a prime and easy hacking target. If an attacker breaks in your router, they can use it to perform illegal activities, slow down your internet, and monitor and tamper with your devices and online activities.

At Netonomy we love routers, we have hundreds of them at our labs, and we want you to love and care for them too. So this Wednesday’s Cyber Hygiene post will provide tips to implement basic security settings. These are not hacker-proof settings, but bare minimum cyber hygiene practices. They are easy to set-up, so follow along!

First you will need to access your router’s web interface, to do that you will need to find your router’s IP address, which is written as four numbers separated by periods (e.g. 192.168.1.1). Sometimes this number is written at the bottom of your router, otherwise, search for it online or try this handy list. Once you have the IP address, connect your computer to the router with a LAN cable, and type the router IP address on your web browser. You will be redirected to the Router’s Settings page. That was the hardest part, now it only gets easier.

Under the Security Settings, look for the following options:

Password: Default passwords are a huge problem with digital devices and routers are no exception; make sure to create a unique password, with a combination of letters, numbers and symbols. Change it periodically.

Encryption: Depending on your router, you will have a few options for encryption, these are the most common ones in declining order of effectiveness:

  • Wired Equivalent Privacy (WEP): The oldest and most popular form of router encryption available, also the least secure of them all.
  • Wi-Fi Protected Access (WPA): An improvement to WEP’s shortcomings.
  • Wi-Fi Protected Access 2 (WPA2): The most secure encryption available at the moment. Select WPA2 if available.
  • Advanced Encryption Standard (AES): Use AES on top of WPA2 or WPA. This is the same type of encryption used by the federal government to secure classified information.

Note: for compatibility with some older devices, such as gaming consoles, TiVo, and other network devices, WEP may be the only security option possible to use. Using WEP is still better than no security at all.

Firewall: While this setting is usually enabled by default, make sure that it’s activated for an added layer of cyber hygiene.

WiFi Protected Setup (WPS): If available, this setting is usually turned on. Originally created to make it easier to setup an encrypted wireless connection without passwords, its very nature made it quite easy to crack, and we recommend turning it off. Please note even turning it off might not be enough, with WPS continuing to work despite having been disabled.

SSID name: This is the name that identifies your router. Avoid leaving a default SSID name, such as the name of your router model, as this information makes it easier for attackers to break in. Also avoid using your family’s name or any other personally identifiable information. Be creative!

SSID broadcast: Your router is always broadcasting its name publically to make it easy to find. However, if you wish to make it harder for snoops to find your network, disable SSID broadcast. This will require that you manually enter your SSID name when connecting new devices to the network.

MAC Filter: When enabled, this option allows devices to connect only if their MAC addresses have been pre-entered in the filter list. A nice tip when setting this up is to have your devices connected prior to enabling MAC filter, open the DHCP client table (often found in the Status or Local Network section) and copy-paste all their MAC addresses into the filter.

Remote administration: This setting is usually found in the Administration Settings.
Unless you intend to remotely configure your router, disable remote access to the settings, you will still be able to configure your router via a wired connection.

Firmware update: Lastly, like all digital devices, make sure you check for firmware updates frequently to stay up to date with the latest security patches and reduce your vulnerability.

 

As aforementioned, these are not hacker-proof security settings, but basic cyber hygiene tips to add a layer of security. If you want true network security and control, you must install solutions like Netonomy’s, or buy an expensive router with a security-focus. However, these easy-to-implement cyber hygiene practices are a first step in the right direction, and we recommend implementing them to make it harder for would-be-attackers to break into your network.

 

Tune in every Wednesday for more cyber hygiene tips you can implement in your network!

 

 

On February 23rd 2000, Vincent Cerf, one of the fathers of the Internet, stated, “Most of the [Internet] vulnerabilities arise from those who…do not practice what I refer to as good cyber hygiene. They are not sufficiently sensitive to the need to protect the security of the Internet community of which they are a part. The openness of the Internet is both its blessing and its curse when it comes to security.” The Internet was a very different place back in 2000, only 5% of the global population had access to it, and IoT, smart phones and broadband speeds were things of the distant future. But eighteen years later, this quote couldn’t be more urgent and relevant, when over half of the population relies on Internet connectivity and malicious actors do not rest. As new scenarios continue to emerge, it is imperative for all stakeholders to recognize and be prepared to execute their roles and responsibilities, including governments, service providers, device manufacturers and consumers.

Many recent, major breaches could have been reduced if fundamental principles of cyber hygiene had been followed, but human stupidity is always the weakest link, and consumer cyber hygiene remains a much-needed patch. Cyber hygiene practices include, but are not limited to, setting strong passwords, managing the network and performing security and software updates. Unfortunately, these seemingly simple practices are tedious and difficult to maintain for most, and are often overlooked by the latest, greatest security solutions that promise to keep us safe. Consequently, we are living in an era of Internet of Insecure Things. However, consumer cyber awareness and cyber hygiene can go a long-way to fixing the Internet, even creating the consumer confidence necessary to increase IoT adoption and reach its potential.

The private sector is best suited to the creation and maintenance of lightweight and simple solutions to facilitate cyber hygiene at home, but the government’s convening power to enforce standards is what will incentivize all stakeholders. We are happy to report that there are loud signals that this is already happening. Following an executive order signed in May of 2017 by US President Donald J. Trump to strengthen the cyber security of federal networks and critical infrastructure, a first draft has already been published recommending, among other things, that the American government fund a public awareness campaign on IoT security, and make cybersecurity a compulsory part of future engineering degrees. Also, in November of 2017, the National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE) began to actively seek proposals by technology vendors to provide an example solution to mitigate IoT-based DDoS attacks.

Consequently, service providers, router manufacturers, and technology vendors are now rushing to market with innovative products and solutions aimed at increasing consumer cyber hygiene. In a way, secure devices and services are a marketing opportunity for companies to differentiate themselves and add value in the Smart Home and IoT marketplace, because nobody wants their devices to be easily hacked. The Wi-Fi alliance is leading this industry trend by announcing that it will be rolling out WPA3 this year to set new security and privacy standards. We believe that cyber hygiene starts at home, but because it is impractical to hold consumers responsible if their devices are used in a botnet or if they’re not secure, we welcome the current industry trend to facilitate consumer cyber hygiene by designing devices with security in mind.

The average number of connected devices at home is increasing exponentially, and the IoT discussion should not be about gloom and doom, but rather about the massive opportunities afforded by this revolution.  Yes, there are risks, but they can be significantly mitigated by the application of proper cyber hygiene by each of us. For its part, Netonomy is joining this fight by providing a lightweight agent-based solution that can be deployed over-the-air and at scale to all home routers, including legacy, at a low cost. Our agent boosts the router –the gateway to all your devices, with Artificial Intelligence and Machine Learning to provide network visibility, security and management controls in an easy to use and friendly white-label app. Securing the Internet of Insecure Things will be no easy task and we all have a role to play.

 

Tune in every Wednesday for cyber hygiene tips you can implement in your network!