The Internet of Things (IoT) has a universally negative reputation for security. Low-cost, tiny, and low-power devices are not going to come with the same resources that a high-powered computer does. Despite the manufacturers’ desire to enhance security (which they likely don’t), the cost-effectiveness and widespread nature of these devices prevent them from incorporating numerous effective security measures. And even if they could implement these practices, there’s a good chance the average consumer wouldn’t be able to. Therefore, if you purchase a Wi-Fi-connected device, it’s advisable to assume that it is not safe.
These devices have many practical aspects to consider, particularly if you own several of them. Regardless of BUM (broadcast, unicast, multicast) traffic configuration, excessive BUM traffic can hinder network and router performance. If every device on the network addresses and processes BUM traffic, even a well-performing network may experience router overload. Broadcast and multicast traffic can slow down a home network.
Here are some suggestions—shared randomly and not in any order of priority—that may help you set up IoT devices on your home network in a way that’s safe and secure. The suggestions encompass a variety of methods to guarantee the safety of your devices, ranging from isolation measures to direct inspection of devices exhibiting suspicious behaviour.
1. Establish a different VLAN for Internet of Things devices.
The single most important piece of advice for ensuring the security of your IoT devices is this: Keep them segregated on the network.
This straightforward step has a number of benefits, each of which contributes to your overall security posture. It keeps a malicious user from using a compromised IoT device as a launchpad to attack other devices. It also directly impedes any effort by the evil guys to monitor network traffic and glean useful intelligence. Additionally, it significantly reduces the scope of a compromised device.
The standard practice for achieving this is to set up virtual LANs (or VLANs) to put IoT devices on. Your devices separate their traffic from each other in this way. Typically, you configure VLANs on your router, with the functions you can access varying depending on the type of router you own and its configuration. This YouTube video provides a decent example of how to set up a VLAN.
2. Purchase items from well-regarded brands.
One aspect of the issue with IoT devices is their ease of production; they are often white-label products—and effectively black boxes, with scant public documentation. An almost perfect storm of conditions arises, making it impossible to practically assure the usability and security of these devices. These conditions collectively either prevent security researchers from testing these devices, thereby holding manufacturers accountable, or force us, as consumers, to test these devices by using them on a daily basis and relying on our own judgment.
An individual could conduct a specific number of tests independently. This would involve closely watching the kinds of data flowing into and out of the device to check fundamental security signs—like whether the device is using some form of HTTPs—and attempting to see exactly what sorts of remote interactions the device is having. However, this is merely a basic form of security testing. It’s better than nothing and might flag a few truly egregious devices. But I wouldn’t count on it to catch everything.
Therefore, it is worthwhile to purchase products from reputable brands, even if they come at a higher price. When it comes to buying devices for your home, we would hope that most manufacturers are keeping their web portals secure and are regularly updating the software for those devices, which would lessen the chance of a security breach.
3. Change the default usernames and passwords.
People often ignore this age-old recommendation. Many people do not seem to realize that it’s IoT devices we’re talking about, not just computers, that need protection. Whether it’s your router or lightbulb, they all do what any computer does: connect to the internet and listen for commands. If the default credentials provide those commands, it won’t take long to craft an exploit to gain access to your network. If the security of your network is strong enough, it will only take fifteen minutes to an hour.
Use a password manager to keep track of your randomization scheme so that even a determined attacker who oversees your house from across the street will have a hard time duplicating your password.
4: Turn on two-factor authentication for web accounts.
Most internet-connected devices (smart or otherwise) offer a cloud-computing component that allows you to manage them from an online account. Make sure to protect these accounts with strong, reliable two-factor authentication, as they are just as crucial as any other in your life. That’s going to prevent an attacker from using a compromised cloud account or a reused, stolen password in a futile attempt to breach your network.
This is especially a smart move if what could potentially be compromised is something like a home camera or an internal security system.
5: Turn off IoT devices that you aren’t using.
When not in use, power down IoT devices to improve security. This isn’t a strict mitigation measure, but rather a’security through obscurity’ step that conceals your devices when they’re not in use.
If you’d like to be a little more strict with security, then think about limiting access to your IoT devices at certain times of the day. If you’re going to be out of your house for a while, consider turning off any devices that you won’t need until you return.
6: Watch for unusual traffic from your devices.
The best first step in securing your smart home devices, if your router supports it, is to monitor the traffic they generate. This may involve tracking how much data is sent to and from devices, what ports they use, and whether they’re chatting with other network devices. Pay special attention to the times and patterns of their internet use. If some of your devices start using the internet a whole lot more, especially at irregular times or in random bursts of minutes or hours, that’s a good indication that something bad is going on with them.
There’s no strict guideline for the amount of traffic a device should use. Uploading traffic is roughly equal to downloading in terms of usage. For example, a video streaming device delivering a 480p video to your eyes will consume approximately 400MB of data per hour. If you have a lamp under your control that knows when to turn on and off, you’re not using any significant bandwidth.
Why home security matters
Home security often doesn’t feel like a pressing issue. However, if you are considering implementing a smart home or incorporating any type of Internet of Things into your life, you should prioritize home cyber security. The potential risks may exceed your initial expectations. All it takes is one poorly secured device for someone to access your network—and from there, to access your life. But by being a little vigilant and knowing what kinds of devices are secure and which aren’t, you can raise your home’s cyber security to a level that feels a lot more comfortable.
