Fledgling regulation has yet to really make itself felt in the Internet of Things (IoT).
We’ve seen the Code of Practice for consumer IoT security issued by the Dept for Digital, Culture, Media and Sport (DDCM) and also the EU’s ENISA Cybersecurity Act last year, while ETSI specification TS 103 645 was released in February but compliance with these and other regulations around the world aren’t yet mandatory, making it vital consumers protect themselves.
We advise the following steps before you buy that smart device.
1. Do your research
Pop the name of the smart gadget or toy in to a search engine and add the word ‘hack’, ‘security’ or ‘vulnerability’. It’ll take you moments to find out if there are discussions about serious security issues.
2. Get the app before you buy
Download the app from the App Store or Play Store to your phone. If you buy it, you’re going to need the app anyway. Click on the ‘create account’ or ‘login’ section. What we want to know is whether they’re playing safe with the password you’re going to create.
Create an account – add a temporary or throwaway email address then try to set the password of ‘password’. See what happens. Was it rejected for being too weak? If so, try ‘Password1’ and see if that works. If it works, the manufacturer is showing that they really don’t care.
3. Read the manual before buying
Go to the manufacturers web site and find the manual.
Find the pages that deal with connecting to the smart thing for the first time. If it uses Wi-Fi, how do you connect your phone to the device for the first time? Does one have to press a button on the ‘thing’ first or is the Wi-fi wide open without any passwords, or with the same password for all devices?
If it uses Bluetooth, again, do you have to press a button on the smart device to put it in to ‘pairing’ mode or can anyone connect to it at any time? Having a button press or similar before anyone can connect for the first time is a good thing. It means that you can decide when someone can connect to your smart thing.
4. Does the manufacturer take security seriously?
What does the vendor say about security on their web site? Do they use words like ‘military grade’ or ‘bank grade encryption’ or jargon like ‘AES 256’ or do they say nothing at all about security?
A responsible manufacturer will talk about how their security has been independently reviewed and the processes they follow to keep your data safe.
Do they have a ‘bug bounty’ programme to encourage hackers/researchers to report flaws. Search online for ‘bug bounty’ and the name of the product or the manufacturer. Big names in bug bounty programme management include ‘HackerOne’ and ‘bugcrowd’ among many, so you can click through to their sites to check.
5. Implement a strong password
A weak password is often the easiest way to hack an IoT product. Set a strong, complicated and UNIQUE password that you haven’t used elsewhere.
Use a free password manager to make your life easier. Check if your IoT app allows two step verification (a one time SMS code to your phone) or allows you to use an authenticator app.
6. How will you care for your thing post purchase?
Does the device support patches and security fixes?
Check the instructions to see how yours is updated. Ensure your phone allows the IoT app to check for updates and apply them as soon as you’re alerted. Update your mobile app and check to see if there are security fixes for the product too.
Sometimes these will be ‘pushed’ from the phone to the IoT device. However, some updates are pushed ‘over the air’ direct to the IoT device.
Ken Munro, Partner at Pen Test Partners