IoT Security Solutions: Secure your Smarthome, Smart TV, Alexa, and More!

We are all going to need IoT security solutions at some point or another, and this goes well beyond smartphones as everything from your Alexa to your smart-fridge is collecting data which can potentially be leaked. This data can include anything from your daily habits, which can be exploited by all manner of criminals, as […]

We are all going to need IoT security solutions at some point or another, and this goes well beyond smartphones as everything from your Alexa to your smart-fridge is collecting data which can potentially be leaked. This data can include anything from your daily habits, which can be exploited by all manner of criminals, as well as passwords and usernames which can be exploited by hackers of any skill level.

IoT security is a real issue. As more and more of the items in your house connect to the Internet, you need to consider whether or not their convenience comes at the cost of privacy, and if you can do anything to get more privacy once you have them. Keep reading to discover the risks, and what you can do to mitigate those same risks.

IoT security solutions: Why they’re needed

The International Data Corporation predicts that spending on IoT devices will hit 1 trillion dollars by 2020. This includes smartphones, smart TVs, tablets, Alexa and other personal assistants, smart toys, and even smart fridges.

While we all enjoy the convenience of these devices, we rarely think about how these devices have microphones listening to you all the time. Some even have cameras watching your every move.

IoT devices are like any other piece of equipment with software in that they all they have weaknesses which hackers can exploit. What you need to do is make it difficult for hackers to penetrate your IoT devices so that they move on to an easier target.

The problem with having many smart devices

Technically, ‘smart’ devices started with your computer, which was once not much more than a smart typewriter. That became the first target for hackers looking to steal digital information which was now available to them, when before what was written was analog and had to be stolen the old fashioned way.

As more and more devices become ‘smart’ with a Wi-Fi connection, hackers are being given access to more and devices with information they can steal and exploit. More access points leads to more chances of having your privacy broken, and secrets stolen (yes, we all have secrets. Bank cards, credit card numbers, usernames and passwords) to be exploited. Scenarios to consider:

• Timing: Something as simple as when you open and close your fridge can tell a hacker when you’re home and when you’re not.
• Habits: The adjustment of your thermostat can tell when you’re gone for work and home again, while your daily habit changing can indicate you’re leaving for longer, such as a vacation.
• Cameras: A security camera in a baby’s room is nice, but one which is unsecured can be hacked and allow any manner of pervert access to private moments with your children.
• Microphone hacks: Anything with a microphone can be hacked for malicious listeners to get information about you. Have you ever read your credit card number out loud on a secure phone line… while standing next to your Alexa? They record everything you say to it and store it online! This can also be said of your smart TV, or any other smart device with a microphone, if a hacker is skilled enough.

Those are some of the most basic hacks, and hackers are certainly coming up with new ideas and exploits right now.

What is causing this to escalate?

The biggest issue here is that while your computer and smartphone have had years to develop security tech, your other smart devices have not. What’s worse is that people who develop, let’s say, a smart fridge are not as security conscious as those building a smartphone – they just don’t exist in the same worlds.

Many smart home devices have no authentication procedures, and no encryption, built into them. Some manufacturers are cutting corners with their smart tech, adding it as an after-thought, and security is always a cost to cut. It’s nice when things are less expensive, it’s less nice when they’re hacked so that a pervert can move your security camera to watch you breastfeed your child.

IoT toys have such poor security that it’s a joke:

IoT security solutions: Updates

The easiest way to make sure you stay secure is to watch for notifications to update. Yes, they’re annoying. Many of these updates are focused on patching vulnerabilities, so you need to stop seeing them as a hindrance and instead see them as an opportunity to protect yourself.

What else needs to be updated? Your username and password. All too often people keep the factory settings on this, which can be as simple as “admin” for both the username and password, and you don’t even have to be a hacker to get around that.

In fact, this is largely how the Mirai Botnet Attack played out in 2016:

• 1. This was a DDoS attack which targeted IoT devices.
• 2. The botnet scanned large blocks of the Internet.
• 3. It isolated open telnet ports associated with IoT devices.
• 4. The botnet then used 61 common usernames and passwords which were used as the factory defaults for those devices.

This attack has resulted in next-to-nothing being done. There are still firmware updates being sent out with no encryption, servers are storing plain text, and passwords are stored with no protection and are rarely changed from default. You have to take care of these updates, or you’ll be the victim of a botnet.

IoT security solutions: Encryption

At this stage, the only person who is really going to protect your IoT devices beyond basic updates is you. Even the US government’s current best effort for minimal IoT security standards only applies to equipment purchased by the government, it doesn’t actually cover regular commercial goods. Their hope is improved security standards for government IoT devices will lead to better standards for commercial goods, essentially creating trickle-down security standards. We all know how well that works…

What’s even worse is legislators do not understand technology. At all, on any level. Always remember these exchanges:

We. Sell. Ads. It’s encrypted, we can’t read it. The most basic, basic stuff goes over their head.

How to encrypt your IoT devices

You need to start encrypting your connection, as a basic, and the way to do that is by getting a VPN and installing it on your router. This will encrypt absolutely everything that connects to it, including your IoT devices.

While this won’t force encryption on the servers where your data is stored, it will put a stop to man-in-the-middle attacks, and other types of snooping, on your devices. Many IoT devices don’t offer this minimal amount of protection, but you can clamp down and secure absolutely everything which connects to your router with the use of a VPN router, or by installing one on your existing router.

Here are two providers we recommend for their VPN router tech:

Router firewall

On the subject of routers, where your IoT devices connect, it’s also important to be sure to purchase a wireless router with a network firewall. They will help block attacks over your router, protecting everything, adding a layer of security.

Don’t feel that you’re invincible with a firewall as it is not an antivirus program. You can still be hacked via a phishing attack through email, or messaging apps on your IoT devices. You still need to take regular precautions in regards to messages, link clicking, and downloads.

IoT security solutions: Be careful with apps

We all know that hackers are ‘the bad guys’ who steal your personal information and use it to commit identity theft, and get access to your financial data. They’re ‘the bad guys,’ we can see that.

What you don’t see are the corporations collecting your data and storing it improperly. They’re ‘the bad guys’ here as well, but they’re wealthy and powerful so they get written off as ‘good guys’ who made a ‘mistake.’

What many of these free apps on your IoT devices do is collect your data and store it all in one big, fat, tempting place for hackers. We’ve seen so many security breaches of major corporations over the last few years it has become mundane. It should not be. Here’s how to protect yourself from ‘the good guys’:

• Do you need it: Always ask yourself if an app is actually necessary. We often make rash decisions, especially when something is labelled as free, about what we download. Read some reviews and make sure that the app isn’t a scam riding a trend.
• Data collection: Read over the terms and conditions and see what you can find about data collection. See how it’s collected and stored. If it seems like they’re collecting excessive data, try to find another app which performs the same function and compare them.
• App permissions: Watch for the permissions they ask. Many apps will ask for permission to view other apps and functions on your devices which they have no business needing. Deny them and protect yourself that little bit.
• History: See if the app you’re using allows you to delete your history. Do this periodically, about once per month, to minimize potential data leaks via their data storage facility.

We all like apps which make our lives easier or more entertaining, but each app we download is another point of vulnerability. Not only are we more vulnerable with more apps, but third-party apps are usually less secure than native apps which come with the device.

IoT security solutions: Fixing you

The best VPNs out there currently use AES-256 encryption, and this is true of some of the best companies out there who build IoT devices. It’s only possible to crack this encryption with a NSA-level supercomputer running non-stop for a year or longer. Cybercriminals don’t have the time or resources for that, so they go after a much softer target… you!

Many data breaches happen because of people making the wrong choices. Here are a few important things to look at in regards to buying and keeping new IoT devices:

• New companies: Smaller companies with new IoT devices are exciting, but if they go out of business you will not get updates on your devices. By all means support new endeavours after some research, but once those companies close down you may need to look at whether or not you need to set their product aside as well.
• Change defaults: Passwords and usernames must be changed from their default. If you have to, use a password manager app to track your passwords in a secure manner. Hackers often get access to the default passwords of apps and devices, it isn’t hard, and then do brute force attacks to try and force their way in. What’s worse is they will usually have a list of common passwords, think “password123” as an example, and will use those in a brute force attack as well.
• Security questions: Change all security reminders to something that someone can’t just find on Facebook. Your mother’s maiden name, your high school, what road you grew up on, if it’s on Facebook it’s not secure to use as a security question.
• Phishing attacks: Unsolicited emails and pop ups asking for your username and password should always be regarded with caution. If you’re ever in doubt, be cautious and contact the support of the app or device. Phishing attacks are a human-error centric attack, and this is how they’re carried out.

These are all IoT security solutions which rest on you not making a mistake. They’re basic security measures that you must take with every device and app.

IoT security solutions: Securing Alexa and Google Assistant

The two biggest security concerns when it comes to IoT security are the two most popular devices: Alexa and Google Assistant. They are a victim of their own popularity because hackers love to target popular devices, and will stay up to date on their vulnerabilities so that they can exploit as many people as possible with the least effort.

Not only are they tempting targets due to how many people use them, but they’re even more tempting because of how much data is stored on them. Both of these companies are driven by data, so you can be sure that they are recording every datapoint possible. These devices do have decent security measures, but one little fault can lead to a cascade of data theft.

Securing Alexa

The Amazon Echo, known by the device’s activation word Alexa, is an ‘always on’ device. It constantly monitors your conversation while waiting for the activation word, and deletes all recordings of you second by second until the activation word is spoken.

The problem is that it can hear the activation word by mistake and start recording. This is more common than you think as a writer for The Washington Post reported that his always-on devices record him without the proper activation word being spoken at least once per week. You’ll never know if Alexa hears the word, starts recording, and then, let’s say, sends the recording to someone random on your contact list. Yes, this has happened. The random laughs are, well, unsettling.

Here are ways to better secure Alexa:

• Amazon password: Alexa is run through your Amazon account. You need to have a strong Amazon password to protect yourself against people gaining access to your account as they can make purchases and hear your voice recordings.
• Minimize leaks: Delete your voice recordings once per month to minimize potential leaks. Go to Setting > Alexa Account > Alexa Privacy to delete individual recordings, or all at once. Alexa can even remind you to do this. You can also visit https://www.amazon.com/alexaprivacy for more.
• False positives: Change your activation word to one of the other options if it activates when you don’t want it to. Those with a child/spouse/friend named Alexa will concur that this is a good idea.
• Turn it off: During the most sensitive times, when you’re sharing data or saying things you want private, turn the microphone off. If you’re making a call that will include your credit card or banking information, turn off the mic or leave the room. Have a date coming over and you’re feeling ‘in the mood,’ well, be careful unless you want to record those intimate moments.

These are steps you can take to better secure Alexa, who records a tremendous amount of data about you both on purpose and by accident.

IoT security solutions: Google Assistants

Google Assistants are much like Alexa in that they’re always listening, so much of what was covered above applies here. There are a few unique features that can help you stay more secure though:

• Connected accounts: Be careful with how many personal accounts you connect to your devices. You become more vulnerable as you connect more services that can be compromised through a Google data center breach.
• Voice protection: Set up Google Home’s voice-match feature right away. This allows you to make it so Google recognizes the voice of authorized users, and ignores those who aren’t, when it comes to personal data.
• Delete recordings: Delete old recordings in the My Activity section of your Google Account. All of your conversations with Google will be stored on their servers until they are manually deleted.
• Two-factor: Activate two-factor authentication on your Google account. This will secure your entire Google experience with one extra layer of security, and your Google Assistant will be included.

As was said above, in a rather colorful manner, turn off the microphone or go to another room for sensitive conversations. Sometimes, the simplest security is the best security.