Blog / Thinking About Purchasing IoT Devices? – Here Are Some Tips Before You Buy…
“IoT Security” is a topic that makes my blood pressure spike. I’ve done a couple of newsletters about this and looking back, most of them had really nothing good to say about the whole mess.
I even did a newsletter about FBI recommendations on IoT Security. Their propositions CLAIMED to be for everyday people. If that was the case, they totally missed the mark. While most of their suggestions were useful, with good Security guidance, they were good for organizations. They were beyond what you could reasonably expect for a typical home IoT user.
It’s about time I tried to give actual useful advice regarding consumer grade IoT devices.
So, I’ve put together some advice. Nothing major, but it does mean you need to do a little bit of research, before you go about purchasing a device. For the sake of any example searches in the article, I’ll use TrendMicro as a sample of a manufacturer:
- Internet-connected devices default login credentials should be unique
Sometimes when you do a factory reset on a device, it will return to a default state where the administrator login credentials are now unique. Something like Admin/admin or admin/password are not uncommon defaults. The default password should be something unique for each device, like the serial number. Finding the default user credentials can be a little tricky. Sometimes it can be linked to the model or product line, so you may need to do a little snooping around. A search that includes the manufacturer and model is a good place to start. Something like “TrendMicro M200 Default Administrator login.” If it’s at all connected to the Internet (not accessible from, but connected to), then this is very important.
- The factory reset procedure should require physical access
If you can connect to the device over the network and initiate a factory reset, that’s something that could potentially be exploited. A reset procedure that requires something physical, like holding down a button for a few seconds, means it shouldn’t be possible for an attacker to reset the device remotely, as they would need physical access to the device (that’s a whole different set of problems.) The factory reset procedure should be easy to find with a search on the model, something like “M200 factory reset procedure.” Often you will find the factory reset procedure and default login details at the same time.
Factory reset procedures and default login information belong to public domain. This is true for commercial grade devices, as well as enterprise class equipment, so you should be able to find them both without too much effort.
- Manufacturers should have a public point of contact for anyone to report a vulnerability
Having a method for someone to report they have found a vulnerability with one of your products is a good sign. Not all organizations make this easy to find but try doing Google searches with the manufacturer; not the model or device. A search like “TrendMicro report a vulnerability” would be a good start. Also, remember that search engines are designed to work with full sentences, so a search like “How do I report a vulnerability with a TrendMicro product” will work as well.
- The manufacturer must disclose how long they will support the device
You should be able to find this information somewhere on the manufacturer’s website. Each model ought to have an “end of support” and/or “end of life” date. Some outfits make this information easily accessible to the public; others only keep it behind a user login. Having a specific EoL date means you can plan for how long the device will be supported (and presumably updated.) To find this, doing a Google search that includes manufacturer and model, should provide results – something like “TrendMicro M200 EoL.”
Knowing how long a device will be supported for, is vital. The rest of my advice are things that “should” be. Things that are good, but not required. If there’s no advertised end-of-life or end-of-support date, it means there’s no way to tell how long the company will back the gadget. They could stop supporting the appliance after a week, because it’s either not selling, or tomorrow, because it’s a Thursday. This means you should seriously consider not purchasing the device, if you can’t find this information.
The truth of the matter is that for many consumer grade IoT devices you won’t find any of this. That’s because consumer grade IoT equipment is very inexpensive. It you don’t need functionality provided by the IoT equipment, then don’t buy it. If nothing else, it’s an unnecessary risk. If you’re going to buy something, then be smart about it. Do some research first and make an informed purchase. Reviews are handy, but they really don’t tell you the whole story.
If you have any questions about buying IoT equipment, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-Man.