Who knows what evil lurks in the hearts of webcams? After the Dyn DDoS last month, this is a question on the minds of a lot of security people. Someone recently asked me if we shouldn’t adopt a new name for the Internet of Things (IoT) because the existing term is too vague. I responded that this vagueness was in fact the desired effect; many people have little to no understanding of how many devices in their house are now interconnected. This leaves us surrounded by things that are effectively web-enabled computers, which most people don’t even know need to be secured.
So what do you need to do to help secure your devices, to decrease the chances of their being used for ill? There are a few things you can do, regardless of whether you know exactly which devices need protecting. You may be able to improve the security of the IoT devices themselves, which is ideal if the device is one that will accompany you in your daily travels.
But tightening up the settings on your router can help protect all of your devices while they are in your home.
Change the default username and password
Routers and IoT devices often ship with default credentials that are easily found with a quick trip to your favorite search engine. Use the web page or app provided by your router’s manufacturer that allows you to adjust settings. Change both the username and the password to something strong and unique. IoT devices may also allow you to change your username and/or password, and you should do so if you can.
Disable Universal Plug and Play (UPnP)
Unless you specifically know you need to use UPnP, you should disable this option in your router settings. If this is not a service that you know that you use, it’s unlikely you will notice any difference after disabling it. Leaving this feature enabled allows people to access your network without authentication.
Turn off remote management
By turning off remote management (it may also be called something like “Web Access”), physical access to the router will be required to change its settings.
Change the name of your access point
Choose a name that doesn’t make it obvious what type of router you’re using, or whose access point it is. While this isn’t something that makes a huge difference in your security, it’s usually a very easy change and it does make it a little bit more challenging for attackers.
Require a password for your Wi-Fi connection
Allowing people to connect to your Wi-Fi without a password invites misuse, so use strong encryption (WPA2 is best) to limit the number of people able to use your access point. Choose a good password, and don’t post it where people can see it.
Update the software on your router and IoT devices
Most people don’t know to check their router or IoT devices for security updates at all. If you don’t get prompted to apply security patches as soon as they become available, set an item on your calendar to prompt you to check for updates on a monthly or quarterly basis.
Research your purchases
If you’re considering buying a new router or device, a little extra research can help you improve the odds of getting one that was designed with security in mind from the beginning (or at least one that doesn’t have too many existing problems).
Read online reviews of routers and IoT devices before purchasing them, with an eye towards ease of use, especially where security features are concerned. While it’s possible to tweak any router to make it more secure, if you don’t want to get into the nitty-gritty to accomplish that – such as installing 3rdparty router software – intelligible configuration software is a necessity. IoT devices are enough of a novelty that alternate software is not yet an option, so it’s even more important for them to be easy to secure.
Check for known vulnerabilities
Search for vendors and specific products on CVE Details to see if they have known vulnerabilities. If the product you’re considering has vulnerabilities, you can do a search for the specific CVE number to see if a patch is available. Naturally, it’s best to avoid devices that have issues with ongoing, unpatched security holes.
Check for known issues
Search for vendors on the Better Business Bureau site to see if other customers have reported issues, or if there are government actions against the company. Use your favorite search engine to look for the product or vendor name with the word “recall” to see if there are any recalls under way.
Peruse the vendor’s website
While it’s unlikely that your home devices played a part in last month’s DDoS attack, it is entirely possible that this event was just a preliminary test. If businesses bolster their security and return recalled devices, and if we all start hardening our devices at home, we can decrease the number of devices available for miscreants to use in their next attempt.
by Lysa Myers, ESET We Live Security