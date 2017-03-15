Ransomware was undoubtedly one of the favourite lucrative tactics of cyber criminals within 2016, a trend continuing into 2017. In the past, we’ve seen even the most basic and flawed campaigns see success in scamming money from victims, but over the past 12 months they’ve optimised both their technical implementation and their ‘business’ processes. Due to the profitable nature of ransomware, cyber-criminals are likely to look at evolving into any internet connected devices which hold data of value to their victims. Over the past couple of years Sophos has examined a large number of IoT devices including CCTV cameras, baby monitors, kettles, wireless routers and printers. From the serious to the strange IoT devices have a lot of common vulnerabilities – many of which are the types of flaws we worked hard to eliminate in mainstream computing devices as much as 10 years ago. In the devices we’ve inspected we’ve found simple flaws that enable bypass of usernames/passwords, fixed passwords that the user can’t change (and are easy to guess) and old versions of software with seemingly no plan to update them to cover the latest security or bug fixes. At present your chances of finding a poorly secured IoT device are higher than finding one with a reasonable level of protection. That doesn’t mean they are all bad and some vendors are working hard to improve their security and work with researchers, but many of these products are still in the stage of focusing on fast features over any concern for resilience. You wouldn’t buy a car that didn’t have brakes – it would be considered outright defective, but many devices such as wireless routers come without security and could allow your devices to be leveraged to launch attacks online, or for attackers to go poking around your own network.

1. Many smart things support Wi-Fi so that you don’t have to plug them into your smartphone or computer every time you want to use them. If your home Wi-Fi router allows you to create separate guest networks to keep untrusted visitors off your regular network, make a special guest network for your “things” and connect them there.

2. Many devices, such as video cameras, try to talk to your router to open up inbound holes so they can accept connections from outside. This makes it easier to access them from the internet, but it also exposes your devices to the rest of the world. Turn off Universal Plug and Play (UPnP) on your router, and on your IoT devices if possible, to reduce exposure. Don’t assume that “no one will notice” when you hook up your device for the first time. There are specialized search engines that go out of their way to find online devices, whether you wanted them to be found or not.

3. Keep the firmware up to date on all of your IoT devices – patching is just as important as it is on your PC. It can be time consuming to figure out whether updates are available, but why not make a habit of checking the manufacturer’s website twice a year? Treat it like changing your smoke detector batteries: a small price to pay for safety and security.

4. Choose passwords carefully and write them down if needed. Complexity is important, but so is uniqueness. Many IoT devices have been found to have bugs that let attackers trick them into leaking security information, such as giving away your Wi-Fi password. Remember: one device, one password.

5. Favor devices that can work without the cloud. IoT “things” that rely on a cloud service are often less secure than those you can control entirely from within your home. Read the packaging carefully to determine whether internet access is needed to make the device work.

6. Don’t connect devices to the network if you don’t have to. If all you want from your TV is to watch broadcast television, you don’t need to connect it to the network. Eliminate unnecessary internet connections when possible.

7. Don’t take your IoT devices to work or connect them to your employer’s network without permission from IT. Insecure devices could be used by attackers as a foothold into the organization, and used to assist with data stealing and illicit surveillance. You could put your company and your job at risk

8. It is a good idea to do a quick Google search to see if the “thing” has been attacked already. Often it is good to choose a brand you think will be around for a year or more so you have someone to ask for updates if something bad occurs