Editorial
TECHLIFE’S EDITOR EXPLAINS WHAT YOU CAN DO TO PREVENT YOUR INTERNET OF THINGS DEVICES FROM BEING HACKED.
TO ANYONE WHO keeps even half an eye on tech news, the fact that poorly-secured Internet of Things (IoT) devices have powered several major internet outages over the last year will be no surprise. The most notorious of these was last October’s ‘Dyn’ attack, where the Mirai botnet crippled the internet for almost a full day by targeting a Domain Name System provider. Among the affected sites were Twitter, Amazon, PayPal, Reddit and Spotify.
Many tech publications have been shining the spotlight on poor IoT security — effectively naming and shaming the companies who’re behind devices with lax security. Just recently, however, someone’s gone even further, seemingly waging a war to secure the Internet of Things by destroying it. A new piece of malware that specifically targets IoT devices has been named BrickerBot and, as the name suggests, its modus operandi is to deliberately brick any unsecured IoT devices it can find by corrupting their internal storage. Whether this is actually some form of vigilante digital activism or just some script kiddies having fun is an open question. As with so many hacks, the true intentions of the perpetrators is extremely difficult to suss out.
So with the prospect of your IoT gear potentially turning into expensive paper-weights, now’s a good time to audit any devices you own. Now, IoT devices can take many forms — they can be any product that connects to the internet that’s not your smartphone, tablet or PC. That includes: networked security cameras, home-automation gear, smart lighting, wireless routers, Wi-Fi extenders and networked media players.
There’s a range of factors that can make IoT gear insecure, from having certain settings deep within their firmware turned on that shouldn’t be, to using the default logins for open-source software and more. Here’s what we recommend you do to secure your own devices — note that most of these will require you to log into their web interface or access them via their dedicated apps: * Change the default administrator login and password credentials, * Regularly update your devices to the latest firmware — set a calendar reminder to do so every three months, * Alternatively, if a device supports it, set up automatic (unattended) firmware updates that don’t require any intervention on your behalf — that way, you don’t even need to think about it, * If you don’t use or access your devices while you’re away from home (or work), turn off remote access, and * Check over any security settings that your device offers, learn what they do and turn on as many as you’re comfortable with.
It’s worth noting that bigger, name-brand vendors are often better at issuing security updates than smaller, lesser-known companies (they have more resources and more to lose), so if you have no-name IoT gear, it may take some digging to find security updates. If you’re unsure whether a device is secure or not, we’d unplug it and discontinue use until you can confirm — it may seem innocuous, but one insecure gadget could potentially be a backdoor into your entire network.