Some days I feel pretty darn old, though I’d be lying if I said I actually was. But what I am, is old enough to remember the days when most homes had just one computer (if you were lucky). I’m old enough to remember the computer making the funky dialing tone when it would establish the internet connection through the dial-up modem. I remember how if you wanted to make a phone call, you needed to disconnect from the internet. That is a far cry from today’s world where our TV, fridge, and coffee pot can all talk to each other.
A lot has changed in 20 years. We have become enamored with the concept of a ‘smart environment,’ but more technically described as ‘The Internet of Things’ (IoT). The IoT is basically a giant network of connected endpoints. These endpoints can be people or devices, and it ultimately creates a structured relationship between people-to-people, people-to-things, and things to things. On a broad scale, this paves the way for ‘smart cities’ to slowly become reality, but on a smaller and more personal scale, it has given us a ‘smarter’ and more efficient home. To the average person this is a great thing. Now when I wake up in the morning, I can tell Alexa to start my cup of coffee. Or when I leave work, I can set my oven from my phone to start pre-heating. If you are thinking there is a ‘but’ coming, you are 100% correct.
Introducing all of these new endpoints into our home and office networks has created a variety of vulnerabilities, particularly with those devices that are wireless. Attackers now have a many more potential avenues through which they can penetrate into your network. The good news is that there are some basic steps you can follow to improve the security of your smart home/office. In the IT world, we call this device hardening. A good visual representation would be to picture a defending army fortifying the weak points of their castle in preparation of an attack. One missed weak point, and the invaders may get in. We can do the same thing with our smart devices. Here are some recommendations:
- Change the default username and password – Nearly all network capable devices have a management console that is accessible by a default username and password. These usernames and passwords are easy to guess, and most likely available on the internet if you know the device make and model. Change them – and it goes without saying, keep good password etiquette in mind.
- Check device settings and features – Smart devices may have adjustable privacy and security settings that can be beefed up, or there may be features (i.e. remote access) that you don’t commonly use that can be disabled.
- Software/Firmware updates – Just like you need to have patches applied to your laptop to resolve security vulnerabilities and fix bugs, the same can be done for these devices.
- Name your router – At home, the router is the gateway to the internet, but that gateway goes both ways. A router’s default name (SSID) can give away its make and model making it easier to identify default usernames and passwords or inherent weaknesses.
- Segregate your smart devices on the network – Many home routers have the ability to broadcast multiple, but separate, WiFi networks. Create a second network specifically for smart devices.
- Enable MFA – Multifactor authentication is all the rage these days, and for good reason. That second factor is typically an authentication code sent to a pre-established cell phone number; however, not all devices will offer this.
- Beware of public WiFi – Remember that when on any network, your network traffic may be monitored. This is particularly important with public WiFi as anyone may be watching. If you need to access a smart device back at home (or really anything sensitive like your bank account) use a VPN, or if on your phone, use cellular data.
About the Author
Brad graduated from Indiana University of Pennsylvania in 2014 with Bachelor’s Degrees in Accounting and Management Information Systems. He joined YHB that same year and has since split his time between both the Bank team and the Risk Advisory Services team completing external and internal financial audits, SOX consulting services, and IT related audit and consulting services. Brad became a Certified Information Systems Auditor in early 2019.