From Yahoo Tech 4/6/15
Some day, we will all live in smart homes. Automated gadgets running on the “Internet of Things” will manage our lighting and heat, keep our appliances humming, and free us up to do more important things, like play Candy Crush Saga 24/7.
Before they do all that, though, the “Internet of Things,” or IoT, has a lot of growing up to do. So far, tech startups have done a great job of churning out inexpensive gizmos that turn on the lights when you enter the room or start the coffee when you wake up, but they’ve done a mostly terrible job of making sure random strangers can’t also flip on your Philips Hue or control your Keurig.
Last July, Hewlett-Packard released a scathing report on the poor security of IoT devices,noting that more than 7 out of 10 have some kind of vulnerability.Over the past three years, devices like Nest’s smart thermostat, Kwikset’s SmartKey lock, Foscam’s baby monitors, and thousands of home security cameras have been compromised in the lab or in the wild.
A report scheduled to be released on Tuesday by enterprise security firm Veracode details some of the ways IoT devices can be hacked, controlled remotely, and even used to spy on you. Given the right circumstances, an external attacker could know when you’re not home, open and close your garage door, turn your lights on or off, and even eavesdrop on your conversations.
Safe… for now
That’s the theory. In practice, at least for now, smart-home hacking isn’t that big a concern. IoT devices aren’t widespread enough yet to be tempting targets for hackers. Not when they’ve got all these juicy insecure corporate databases to pilfer from. Unless you’re the CEO of some major multinational corporation or a key government official, it’s unlikely some random hacker is going to target you.
And while a black market might one day develop in which hackers half a world away sell the details of your comings and goings to some cyber burglar in your hometown, you’re still far more likely to be the victim of an email phishing attack that steals your bank log-ins, or to get a malware infection from opening a poisoned file attachment.
But in a few years, this could change. Our homes could become so “smart” that one not-so-smart gizmo could wreak all kinds of havoc in our personal lives. What can you do about it, besides avoiding any product with the word “smart” in its name? You can start by locking down your home network.
Despite the gaping holes in IoT security, the device on your network that’s most likely to be attacked is your Wi-Fi router itself, says Veracode research architect Brandon Creighton. Unlike a lot of IoT gadgets, your router is remotely accessible by design — otherwise you’d never be able to download Web pages, stream video, or receive email. If attackers are going to get to your IoT devices, they will likely go through the router first.
There are a handful of basic things you can do to make your router safer. The first is to change your log-ins. Most routers come with a default username and password for accessing the settings (often “admin” and “password”). You’ll want to change these as soon as you can, if you haven’t already; otherwise, malicious strangers within range of your network could access your router settings, then change the password so you can no longer log in.
Note that your router’s administrative password is not the same thing as your Wi-Fi password. The router password is what you need to get into the guts of the router itself. The Wi-Fi password just lets you onto the local network the router runs. You should make sure both are unique.
The second is to make sure you’re using WPA2 security. (New routers tend to come with this turned on by default). This will encrypt the data going in or out of your router, keeping anyone within range of your network from logging on, surfing for free, or using a “packet sniffer” to capture all your information.
Your router may come with a mobile app, like Netgear Genie or Linksys Connect, that lets you change these settings pretty easily; otherwise you’ll need to log into your router’s admin page by typing a numerical IP address into the URL window of your browser (usually 192.168.x.x, with the x’s being either a 0 or a 1). Then look for tabs marked “wireless” and/or “security.”
One dumb cookie
Last December, Checkpoint software revealed that more than 12 million home Wi-Fi routers were vulnerable to a Misfortune Cookie attack. By sending routers a malicious cookie file, attackers could remotely take control of individuals’ home networks and every device on them.
Checkpoint compiled a list of more than 200 models affected by the Misfortune Cookie flaw. If yours is one of them, visit the manufacturer’s website or contact the manufacturer to see if it has issued a patch. Even if your router isn’t on the list, it’s a good idea to make sure it’s running the most current firmware. All major router vendors offer support pages that tell you how to identify what firmware you’re running and how to upgrade it.
Once you’ve secured your router, create a new Wi-Fi network that’s just for your IoT devices, and put your laptop and desktop computers on one with a different name and password, suggests Creighton. If your IoT network still ends up being compromised, the data on your computers and inside your browser won’t be at risk.
Very soon you may be able to buy added security for your smart home. This month, antivirus vendor Bitdefender is officially launching Bitdefender Box, a $200 device that plugs into your Wi-Fi router and provides anti-malware protection for every connected device in your home. (Look for a review of the BOX coming soon to Yahoo Tech.)
Eventually these kinds of protections will be baked into routers themselves, and IoT device makers will start thinking about security before they build their products, not after. Until then, however, our smart homes won’t be as truly smart as we’d like them to be.