This article was first published on Friday, December 2, 2022 in my weekly newsletter.
This week, we learned that Anker, the company behind connected device brand Eufy, actively lied about serious security flaws in its smart home cameras. In the meantime, I’ve spent the past few days immersed in discussions about privacy and cybersecurity.
So I thought it was probably a good time to explain what I do to protect my home network and how I think about the risks of using various connected devices in my daily life. Feel free to use all of this for your own use and ask questions (or tell me about flaws in my thinking) at stacey at staceyhigginbotham dot com.
I get a lot of questions about the security of certain devices, usually from someone who wants to buy a smart gadget and is worried that it might be “hacked”. If the device is a camera, the applicant usually wants to be sure that it will not be used to spy on them inside their home. And if it’s a smart plug, they’re most worried about a bad actor controlling the device over the internet – think unlocking a smart door lock or turning a light on or off using a vulnerable smart plug.
Few worry that their devices are part of a botnet or that a device could be used as an entry point into the network and then as a means to deliver ransomware to a personal computer or exfiltrate data. But the first scenario is the most likely result of a vulnerable device being discovered on the network. The second scenario is the one that worries me the most. It’s partly because I don’t have cameras inside my house.
So, for those of you who are worried about your cybersecurity, I would suggest starting by assessing your risk profile and getting a general idea of the most common “hacks”. Most of us have a fairly low risk profile. We are not government employees in top secret agencies or Apple engineers designing competitive hardware. These people are extremely susceptible to being hacked by people who have the time and money to target them.
But for most of us, the biggest “hacks” to worry about are those that are one-to-many and those that are so easy and public that anyone can spend a few minutes and access our devices. With that in mind, I’ll also stop using the word “hack” indiscriminately, because many of the events reported as smart home device hacks are really just a lazy stranger logging on and taking over. a device because it found someone’s credentials on a website somewhere. (probably as a result of an actual hack) or they guessed their password was 1234.
So to avoid those lazy alien hacks, the advice I have is twofold. First, use multi-factor security on important devices like cameras and Wi-Fi door locks. Second, use unique passwords for your connected devices. That way, when your grocery store loses your password and email address, those credentials won’t work to access your smart camera. If someone gets the passwords, with MFA enabled, they have a difficult step to take to control the device.
One-to-many hacks are those in which a malicious actor can remotely access a device by taking advantage of a vulnerability they have discovered. The bad actor may have developed the vulnerability themselves or found it online in a forum. When I read about new vulnerabilities, I look for those that can be exploited remotely, without needing to physically access a device; those that allow physical control or access to data collected by the device; and those that can modify device software (such as adding malware or exfiltrating data).
Notably, a vulnerability can be as complex as malware or just someone realizing that if they type in a number and go to a website, they can see a camera feed. The Eufy security camera issue is an example of this, as it is a one-to-many vulnerability that can share access to extremely private data (since the device is a security camera). to put into protecting a device or mitigating a vulnerability. Eufy’s flaws are a big deal.
It’s hard, as a normal person, to think that way. But it’s becoming increasingly important, especially if you want to fill your home with connected devices.
Here is how I apply this thought in my everyday life.
I use Multi-Factor Authentication (MFA) on any device that has a camera or takes highly personal data. If a camera vendor doesn’t offer MFA, I don’t buy it. Also, before buying a smart device, I run a quick search on the brand to see how it has handled past security issues. Does it fix vulnerabilities? Sue the person who found it? The first is good. The second in terrible.
I’m also looking for features like encryption, especially of data as it moves from device to cloud, and ideally once the data is in the cloud. When it comes to encryption, more is better. Even something as simple as a light bulb turning on or off can tell if someone is home or not and what room they are in. I can track my husband’s showers by looking at the humidity data from the air quality monitor in our bedroom.
Once I bring a device home, I make sure I can change the password and there are no physical reset buttons that anyone can easily access. Then I plug it in. Once a device is on the network, things get fun. This is where I advocate an extra layer of awareness, especially as your threat model grows and you add more devices.
This is also where services such as Eero’s security subscription, Comcast’s Xfinity xFi Advanced Security or physical devices such as Firewalla or Everything Set come into play. more places someone can access your network. (The security industry calls this a larger attack surface, but I can’t think of my house in terms of attack surface and feel comfortable with it.) I’ve played with most mentioned services and a few others, so look for more reviews and conversations about them in the coming weeks.
Related
#secure #smart #home #devices #home #network #Stacey #IoT #Internet #News #Analysis