As you will be unwrapping your shiny new piece of technology you received as a Christmas gift on Thursday morning, keep in mind that this year’s crop of nanny cams, digital thermostats, home sensors, and car computing systems are not particularly secure - even if words like ‘security’ are proudly presented on the package. These products have small, but full-fledged computer systems inside them that can be hacked as easily as a laptop or desktop. Before unwrapping the Christmas presents, here are a few safety tips from cyber security expert Amit Serper, Senior Information Security Researcher at Cybereason.
Referred to in industry parlance as Embedded Systems, Internet of Things (IoT) products or even wearable technologies, these smart gadgets are often built on Open Source operating systems and software, which often consists of old (and hence vulnerable) pieces of code rarely checked by the manufacturer. Properly securing them is expensive and time consuming, and would put a major drag on the fast track to market these products are on.
So…what’s a well-meaning holiday shopper to do?
1. Avoid exposing embedded/Internet of Things (IoT) products directly to the Internet (even if it's their sole purpose!). To isolate the IoT (i.e. cameras) devices (and basically your whole internal network) from being accessible directly by anyone on the Internet, Install a VPN server. If you cannot do it by yourself - use a tech savvy friend!
2. NEVER expose your home router’s administration panel to the Internet! If you have to do so, again, use a VPN connection!
3. Never buy IoT products from unknown/unnamed vendors. Keep in mind that even the well known vendors aren’t bulletproof, however, there are better chances that they are “under the microscope” of many security researches therefore have better chances to become aware of vulnerabilities in their products and fix them.
4. Look for firmware upgrades! Often, users are not aware of them and ignore them. Firmware upgrades are meant to add more features to products and to take care of security issues. Track your product’s page on the vendor’s website and pay close attention for firmware upgrades.
5. Educate yourself on security. Hackers count on consumers to make their job easy for them by engaging in insecure online behavior. The he mindset of “who would want to hack me?” or “this is too hard to learn” will have to change to see any significant uptick in consumer cyber security.
With mega-breaches becoming larger in scope and more brazen than ever before, it’s easy to simply shrug your shoulders, say a prayer, and take your chances. But large companies have thousands of points of failure. Consumers have a much smaller and more manageable “attack surface” to contend with - one they can greatly reduce if they would invest the time and energy to do it.
You know that expression “if you want something done, do it yourself?” it applies here.
Have a safe and happy holiday season and remember…Caveat Emptor!
About Amit Serper:
Amit is an Information security researcher specializing in embedded Linux devices. His role at Cybereason is to develop novel methodologies for identifying complex hacking operations. For over a decade he led security projects for a government agency in Israel, specializing in the security of embedded systems. Amit is known as for his "out of the box" thinking and is renown for his shell popping abilities on embedded devices such as routers, IP cameras and even home irrigation systems. He has won several Blackhat pen-testing challenges.
Follow Amit on Twitter: @0xAmit
