Blog / Thinking of Buying IoT Equipment? Here’s Some Advice…
IoT Security is a topic that makes my blood pressure spike. I wrote a few newsletters about this and looking back, most of them have had nothing good to say about the whole mess.
I even did a newsletter about the FBI recommendations on IoT Security. Their suggestions CLAIMED to be for everyday people. If that was the case, they totally missed the mark. While most of their advice was useful, with good Security instructions for organizations, they were beyond what you could reasonably expect for a typical home IoT user.
It’s about time I tried to give actual useful guidance regarding consumer grade IoT devices.
So, I’ve put together some advice. Nothing major, but it does mean you need to do a little bit of research before you go about purchasing a device. For the sake of example searches in the article, I’ll use TrendMicro, as a manufacturer sample:
Internet-connected devices default login credentials should be unique
When you do a factory reset on a device, it will return to a default state. Something like Admin/admin or admin/password are common default logins to have. The default password should be something unique for each device, like a serial number. Finding the default user credentials on the Internet can be tricky, but it’s not hard either. Sometimes it can be linked to the model or product line, so you may need to do a little snooping around. A search including the manufacturer and model is a good place to start. Something like “TrendMicro M200 Default Administrator login.” If it’s at all connected to the Internet (not accessible from, but wired to), then this is very important.
The factory reset procedure should require physical access
If you can connect to the device over the network and initiate a factory reset, that’s something that could potentially be exploited. A reset procedure that requires something physical, like holding down a button for a few seconds, means it shouldn’t be possible for an attacker to reset the device remotely, as they would need physical access to the device (that’s a whole different set of problems.) The factory reset procedure should be easy to find with a search on the model, something like “M200 factory reset procedure.” Often you will find the factory reset procedure and default login details at the same time.
Factory reset procedures and default login information are public domain. This is true for commercial grade devices, as well as enterprise class equipment, so you should be able to find them both without too much effort.
Manufacturers should have a public point of contact, so that anyone could report a vulnerability
Having a method for someone to report they have found a vulnerability with one of your products is a good sign. Not all organizations make this easy to find, but try doing Google searches with the manufacturer; not the model or device. A search like “TrendMicro report a vulnerability”, would be a good start. Also, remember that search engines are designed to work with full sentences, so a search like “How do I report a vulnerability with a TrendMicro product” will work as well.
The manufacturer must disclose how long they will support the device
You should be able to find this information somewhere on the manufacturer’s website. Each model should have an “end of support” and/or “end of life” date. Some outfits make this data easily accessible to the public; others only put this sort of information behind a user login. Having a specific EoL date means you can plan for how long the device will be supported (and presumably, updated.) To find this, doing a search that includes both the manufacturer and model, should provide results; something like “TrendMicro M200 EoL.”
Knowing how long a device will be supported for, is vital. The rest of my advice is for things that “should” be. Things that are good, but not required. If there’s no advertised end-of-life or end-of-support date, it means there’s no way to tell how long the company will back the gadget. They could stop supporting the appliance after a week, because it’s not selling, or tomorrow, because it’s Thursday. This means you should seriously consider not purchasing the device, if you can’t find this information.
The truth of the matter is that for many consumer grade IoT devices, you won’t find any of this. That’s because consumer grade IoT equipment is very inexpensive. It you don’t need the functionality provided by IoT equipment, then don’t buy it, as it’s an unnecessary risk. If you are going to buy something, then be smart about it. Do some research first and make an informed purchase. Reviews are handy, but they really don’t tell you the whole story.
At the end of the day, I wouldn’t suggest buying consumer grade IoT devices, unless you’ve no other choice. If you can buy them from an enterprise class outfit (Cisco, TrendMicro, etc.), then go that route. You will wind up paying more in the end, but you won’t get sudden surprises with loss of support. The drawback by doing so is that there are a lot of consumer level IoT gadgets that simply don’t exist on the enterprise level. Also, they aren’t as cheap.
If you have any questions about buying IoT equipment, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-Man.