Protecting IoT appliances from cyber attacks

Using IoT devices and appliances to manage processes at home is an increasingly common practice in most modern-day households. Home assistants, smart doorbells, and internet-connected household appliances communicate via IoT technologies. Though prevalent in our lives, securing these devices from cyber-attacks is still a major challenge technologists and manufacturers face.

There are countless reports about compromised IoT devices being responsible for a large-scale botnet – when a network of private devices become infected with malicious software. The botnet can launch denial-of-service attacks, steal data, inundate users with spam or even access devices and their connection without the owner’s knowledge.

In terms of an IoT-connected smart home appliance, this most likely means a botnet would be accessing and controlling the device. If you’re wondering why anyone would want to hack into a toaster, you’re not alone. Yet, hackers can find valuable data about people from the most minor appliances in their house.

“Manufacturers need to be held more accountable with regards to road maps for updates for any devices they sell,” says IEEE Senior member Kevin Curran.

“Even something which seems innocent, such as an IoT-connected coffee maker, could be hacked, and allow attackers to know our pattern of use. From that, they can make predictions as to when we are at home or not.”

So, what can be done to improve the protection of IoT devices from cyber-attacks? Here are three of the most important steps that users themselves can take.

MAKE STRONGER PASSWORDS

Some countries have started to enforce stricter rules for IoT device manufacturers. These laws require each device to come with a unique password or allow the user to create a stronger password. Plus, the manufacturers must also provide security updates. In any case, it’s still wise to change your password after buying a device.

“Whenever someone buys an Internet-Connected device, such as a router, baby monitor or connected CCTV, they should change the default password,” says Curran.

“In fact, every device that has a default password should be changed on first use. There are search engines which crawl the web for connected IoT devices, and hackers will try default passwords on those devices.”

If users do not change the password, they are basically leaving their keys in the door. Another tip to making passwords stronger is to use different passwords on all sites. Install a reputable password manager which will create complex strong passwords and store them in an encrypted file on the user’s own computer. They then only need to remember one master password and the password manager will automatically take care of logging into different sites with secure passwords.

UPDATE SMART DEVICES IMMEDIATELY

Sometimes updating smart, or IoT-connected devices is the last thing on our to-do list, and it’s easy to forget to update mobile aps. But, making sure these devices, like smart assistants, home security devices or baby monitors are using the most recent software is an easy way to ensure safety from potential hacks.

“Something that I wish everyone knew is the importance of timely patches to software and operating systems,” says Curran.

“Running the most recent versions of a mobile operating system, security software, apps and web browsers is among the best defences against malware and other threats. When user see a message on their computer or mobile to update, then they should do so immediately. These updates often contain security patches which protect against new vulnerabilities.”

ALWAYS BUY DEVICES FROM MANUFACTURERS COMMITTED TO USER PROTECTION

Finally, only buy devices from manufacturers committed to ensuring end-user security and privacy is protected. Consumers would do well to embark on some research before buying a smart device to see if the company has had trouble with cyber-attacks in the past. Organisations also need to ensure they only deploy IoT devices with sufficient security policies in place, such as firewalls, and intrusion detection and prevention systems, but they also need to ensure they cater for the confidentiality of their customers’ data.

“We have too many vulnerabilities because many people still assume that someone else is handling it, or the system is handling it, and they don’t have to worry about it,” says IEEE senior member Steven Furnell.

“Having taken the responsibility on board, users of these devices then need to understand and follow the baseline good practice.”