Home network devices: friend or foe?
Our home maybe our castle, but just how safe are we with our home network devices spying on us?
This week’s BBCs Panorama – Hacked: Smart Home Secrets – discussed the risk many people are exposing themselves too when deploying Internet of Things devices within their homes. The people interviewed had either failed to sufficiently secure their equipment by using the default or weak passwords. Some of the equipment under scrutiny had no facility to change the password from the default “password”. The vulnerable items included smart phone accessible security cameras and baby monitors. The video feeds from thousands of these devices around the world are appearing online for anyone to access. The people interviewed were shocked to learn their private lives were daily entertainment for voyeurs around the world.
It is reasonably common knowledge among IT practitioners that many of the network enabled items we have in our homes are a potential threat to our privacy and security. The Internet of Things is big business and many manufacturers are jumping on the band wagon with little regard to security. The Panorama researchers demonstrated how easy it was to hack into a home network. Having gained access to the router they then set their sights on the network attached devices to push messages onto the TV screen, use the TVs speakers to place an order on Amazon via Alexa and print a message on the printer. They could have captured sufficient data to enable them to access personal bank accounts and other online shopping sites. All with relative ease using readily available equipment and software.
This also poses a serious threat to third parties. Cybercriminals need real estate in terms of a diverse range of vulnerable (accessible) devices with an equally diverse geography. According to Panorama there are approximately ten network accessible devices in every broadband connected home and this is rising fast. Cybercriminals can recruit vulnerable devices to create global botnets to harvest information from unsuspecting residents enabling them to empty their bank accounts and steal their identities for their own nefarious uses. In addition to this, once they have access to this valuable processing power, they can use these devices to launch concerted attacks on third parties.
Recent research from Surrey University estimates cybercrime generates around £1.1T per annum. This includes all aspects of cybercrime such as illegal and illicit markets, theft of trade secrets and data trading. Numerous forms of cybercrime as a service are making it very easy for up and coming amateur cybercriminals to build a career in the industry. The report also states that if cybercrime was a country it would be the 13th highest GDP in the world. This gives us some idea as to the scale and complexity of the challenge our personal lives and IT systems are facing every day.
Rarely a day goes by without a major service or web site failure with no discrimination. Small, large, private, public – no one is spared. When I am greeted with a “web site down for essential maintenance” notice in the middle of the week I assume that is a cover for a cyberattack. Surely no head if IT or business leader would sanction maintenance on a corporate web site during prime business hours. In my opinion there are just too many occurrences for these to attributed to reckless maintenance decisions or poor project management resulting in overnight or weekend maintenance running over. If it is a cyberattack I would hope the organisation would be honest about it. When we attempt to present security incidents as “essential maintenance” it gives the cybercriminals more power. The best defence we have against such a complex network of cybercriminals is to join forces and share experiences. It is impossible to thwart every attack – some are going to get through whether they are zero-day attacks missed by our antivirus and antimalware defences, or the result of unsuspecting team members clicking innocent looking links in emails. We must always be on our guard and we must always have a well-rehearsed plan to fall back on when our systems are compromised.
We are all responsible for our personal and corporate cybersecurity and that of our family, friends and colleagues, just as we would be for health and safety. It is essential for businesses to ensure all team members are well informed and understand the implications of their actions. If we are going to be truly effective at maintaining our own privacy and security we must also find a way of educating home network users to ensure they have the ability to protect their home networks. It is in the interest of all organisations to ensure their team members also have secure home networks so there are benefits for businesses to include home network security awareness training for their team members.
But, how do we educate all of those people deploying their own DIY networks with no business connections and with no access to IT professionals such as the elderly or the disabled. The internet may be their only connection to the outside world to communicate with friends and family and to do their shopping. For many, the internet is their world. We all need to do more to help vulnerable people access their online worlds safely. Some old people’s clubs and community groups have IT volunteers assisting with the setting up and securing of home networks for their service users, but is this enough?
I believe this requires a multi-tiered approach from the manufacturer down. For example, manufacturers should stop deploying equipment with a default password (e.g. “password”). Some manufacturers get around this by having random unique passwords of every single item they produce. This is a good start and will afford a basic level of protection if the device is inadvertently left with its default settings. Some manufacturers are clearly not interested in our security or privacy, they just want to manufacture their equipment as cheaply as possible and to ship them at a low cost to a mass market. I appreciate it isn’t going to be easy to stop prevent this, but distributors and resellers could take some responsibility and issue warning notices with any network attached equipment informing shoppers of the dangers of deploying network attached devices without taking adequate steps to secure their product. This may encourage well intentioned manufacturers, distributors and resellers to publicise the security features of their products. As consumers we can take the time to share our experiences about the security aspects of devices we buy to inform other buyers of the risks and to encourage potential buyers to buy alternative products from reputable suppliers.
Taking small steps such as this has the ability to significantly reduce the amount of internet real estate available to cybercriminals. We all just need to do what we can to progress this.