Blog / “Good” Advice from the FBI – What Everyone Needs to Know about IoT Security
Not too long ago, our IT Cyber-Security Technician, Karl Buckley, wrote a Newsletter in which he contributed some advice on how to properly manage and deploy your Internet of Things (IoT) devices, which you can find here. He certainly will not be the first, and by no means the last person to make a list like this.
In fact, the FBI (yes, the US Federal Bureau of Investigation) has kindly provided their own list of suggestions for “everyday people”, when it comes to IoT devices. Now they say these suggestions are applicable to anyone, so Karl decided to look himself and was very unimpressed.
So here are the FBI’s recommendations. Each suggestion is evaluated as Karl goes along:
Change default usernames & passwords. Many default passwords are collected and posted on the Internet. Do not use common words and simple phrases or passwords containing easily-obtainable personal information, such as important dates or names of children or pets. OK; good information and solid suggestion. We’re off to a good start with something that’s easy for a novice to grasp.
If you can’t change the password on the device, make sure your wireless Internet service has a strong password and encryption. Hmm… OK, good advice regarding the WiFi password, but how is someone who’s not very knowledgeable about computers supposed to know if a WiFi has strong encryption or not?
Invest in a secure router with robust Security and Authentication. Most routers will allow Users to white-list, or specify, which devices are authorized to connect to a local network. Okay now; hold on. While this is good advice on the surface, white listing devices is not something you expect a person without a decent knowledge of computers or networks to understand and configure properly. While it’s not complicated, this is like saying “Don’t buy a car if you can’t do a break change.” While many people understand the idea, most of us don’t have the skills or tools to accomplish that.
Isolate “IoT” devices on their own protected networks. Again, good advice on the surface. However, the average Home User doesn’t have the knowledge to be able to configure their home router in such a way. The typical device supplied by your ISP is unlikely to let you configure it this way either. This means you probably need to purchase and manage a router of your own (as per the previous recommendation)… in your home… just so you can set up and use IoT devices safely!?!?
Turn devices off when not in use. Most IoT devices are designed to be on all the time. It’s not like you can just turn off your fridge (which can be an IoT device these days), without your food going bad. If you turn off your phone, you can’t receive phone calls. If you turn off your Security System, it won’t work. This is not particularly useful advice for any IoT device, beyond maybe a speaker.
Research your options when shopping for new “IoT” devices. When conducting research, use reputable Web sites that specialize in Cyber Security Analysis and provide reviews on consumer products. Sounds like solid advice, but they don’t provide any sample sites. I’ll tell you, I’m not aware of any site like this, and I’ve looked. With so many different IoT devices available (and new ones coming out all the time), there’s not going to be any site you can find that will have Security-based reviews on them all. While a site like Amazon would have a lot of consumer reviews, they do not have Security ones.
Look for companies that offer firmware and software updates, and identify how and when these updates are provided. Updates for how long? Just because they seem to provide updates right now, this behaviour could change at a moment’s notice, if that IoT device is discontinued, or they simply decide to stop updating it.
Identify what data is collected and stored by the devices, including if you can opt out of this collection, how long the data is stored, if it is encrypted, and if the data is shared with a third party. Sounds good, but how does someone without in-depth computer knowledge check to see if the data being sent from their IoT device is encrypted or not? Also, where do you check to see if the data is being shared with a third party? Most companies are not exactly forthcoming about this sort of information. I mean, I’m sure they respond promptly and accurately to questions from the FBI, but what about the average consumer?
Ensure all “IoT” devices are up-to-date and Security patches are incorporated when available. Once again, we have solid good advice that is well beyond the skills of your average user. The FBI is basically saying that you need to be actively monitoring all your IoT devices and vendors to make sure that every available update is applied. While this is straightforward and easy to deal with for someone with a decent amount of computer knowledge, once again we are looking at a set of skills the average person simply does not possess.
Overall, I agree with the FBI’s suggestions. The problem is that they missed the mark, badly. These are great suggestions for a business with a dedicated IT department. They are also good for a Home User with a solid understanding of computer networking. For the average person, they are well beyond what is reasonable. Investing in special hardware (easily costing $250 or more) simply to make sure it’s “safe” to use IoT devices? After the 1st suggestion, this list pretty much goes downhill in my books.
While it may be true that the Internet and Computer Security would be a lot better if we all had Network Administrator skills, expecting this is simply unreasonable.
If you have any questions about IoT Security, you can always reach out to your TRINUS Account Manager for some stress-free IT.