November 24, 2021
As we’re looking at another Black Friday, we can expect consumers to expose themselves to more cybersecurity threats thanks to their purchases. This article will look at how everyday buyers can improve their security by making better choices about buying smart and IoT devices on Black Friday.
Did you know that over 50% of people struggle to protect their home networks and personal devices? Learn more from our Cybersecurity Perceptions Report 2021
What’s the Risk? Theory and Practice
What is the difference between theory and practice? In theory, nothing. But in practice …
This saying is especially true in risk management.
For proper risk management, you need to calculate the risk of an event by determining its likelihood multiplied by its severity and checking whether it is an acceptable or a catastrophic risk for you.
RISK = LIKELIHOOD * SEVERITY.
Insurance companies might be good at determining the likelihood of a natural disaster like a fire or a flood, but it is a very different calculation when we consider IT security threats. Two key factors that make it extremely difficult are the ever-increasing complexity of IT systems and the ever-changing tactics and tools of the attackers.
Determining IT risks is somewhere between an art form and an exercise in futility. The best we can do is analyze what happened in the recent past and assume that similar things might happen in the near future. There’s little use in historical risk analyses: a mere decade ago, the risk of a ransomware attack was negligible and now it is the No. 1. threat most companies are facing.
And that is the gist of the theory behind IT risk assessments. Yet, in practice, average Joes keep rolling the cybersecurity dice with each new smart device purchase.
Consumers are unlikely to do the math before buying their new smart devices and, instead of asking themselves “am I increasing the risk to my smart home by buying this smart gadget?”, will choose products based on arbitrary things, such as packaging quality or celebrity endorsements.
If you would like to be an exception and don’t want to expose yourself or your family to more cybersecurity risks, there are several things you can do better for this year’s Black Friday.
The Risks You Might Face
First, let’s review the common risks smart home users are facing nowadays:
- A device is hacked and used in a Distributed Denial of Service attack. The effects can range from a slow Internet connection to the ISP cutting off your service.
- A hacked device is used as a proxy for malicious purposes, like hacking other devices or distributing spam.
- Data on the smart device is hacked, encrypted, and a ransom is demanded.
- Attackers spy on your family through an IP camera, baby monitor, or smart doorbell.
- The smart home gadget stops working without cloud connectivity.
This list is not exhaustive but represents the range of risks smart homes are facing. To protect ourselves against these threats, we have to be aware of how attackers can hack our devices.
From a high-level overview, the attackers should somehow connect to your device and execute malicious code on it. This connection can be made either directly, through another device in our home, or through the cloud. Consider this as a key question before buying a gadget.
Smart Gadgets Directly Reachable from the Internet
The worst device you can have is one that has its port(s) open to the Internet, making it accessible for everyone. This can happen either via router misconfiguration, insecure default router settings (e.g., UPnP is enabled, the device is put into DMZ) or by a conscious decision.
That last part – opening remote access to a device – happens quite often when the user wants to use the IP camera to see what is going on at home, and the device is not cloud-ready. The easiest and most insecure solution for such users is to configure the router to allow all incoming connections from the Internet to the camera.
The ever-evolving Mirai botnet demonstrates how bad this can be by infecting hundreds of thousands of IoT devices over the years. These devices are mostly IP cameras, doorbells, baby monitors, DVRs, NVRs, smart locks, NAS, and routers. They are the ones that are most often designed to be remotely accessible.
Learn more about the latest IoT security threats.
Smart Gadgets With a Cloud Connection
The configuration and operation of remotely accessible smart devices is often neither user-friendly nor offers the vendors a way to collect user data. Many vendors have moved to using the cloud wherever they can. Such devices have an easy setup, easy mobile access, and easy access to the user’s data.
With these devices, you fully trust the vendor and anyone operating the cloud servers with your data. A recent hack of the cloud-connected security camera startup Verkada should give you an idea of how centralizing user data might actually make the cloud provider itself into a high-value target.
It also makes your device dependent on the cloud provider. Many gadgets might lose their functionality if the vendor shuts down its cloud services, and even Google Nest has outages, which might interfere with your smart home security in unexpected ways.
Smart Gadgets Hacked Through Another Device
According to our research, hacking smart devices through other devices in a network is very rare. Nevertheless, we see botnets that are spreading laterally, like the Krane malware.
In the future, as fewer devices become remotely accessible, we can expect attackers to change tactics. Some devices (like routers) are already at risk from these attacks, while other attack vectors were only demonstrated by researchers. This is an alarming trend for smart home security, as a single comprimised gadget (e.g. a garage sensor) might allow an attacker to access valuable data on NAS or other important devices.
Are Some Devices Safer than Others?
Our data shows that, in general, gaming consoles are some of the safest connected devices, along with set-top-boxes provided by cable companies, as well as modern mobile devices: smart phones and tablets built by trusted vendors.
This might be a bit surprising, but there is a rationale behind this. Game console developers are incentivized to provide proper game copy protection and prevent game pirating. Cable providers are incentivized to protect their premium channels. And, luckily, the smart phone market is dominated by relatively security-conscious developers and companies (Apple and Google).
Act Now and Avoid Headaches After Black Friday
Here’s a short list of things you can do to improve your smart gadget cybersecurity.
- Don’t buy devices you don’t need
- Buy devices from vendors you trust
- Disable UPnP on your router
- Don’t put devices into DMZ in your router – game consoles are fine as long as you patch them
- Do not forward ports for smart gadgets on your router
- Change default credentials and use unique passwords for each device. Store passwords securely in a separate, encrypted management solution.
- Do not skip updates: install all available patches