The Internet of Things is everywhere, and it continues to grow as manufacturers add computing capacity to more and more of their products. All of these Internet-connected devices present a security risk, and it’s a lot bigger than an intruder adjusting a homeowner’s Nest thermostat a couple of degrees. We can all help reduce the security risk associated with IoT by adopting the concept of herd immunity.

Everything Dumb is Smart

At the 2017 Consumer Electronics Show (CES), LG announced that it planned to add “advanced WiFi connectivity” to all of its home appliances. It doesn’t matter if you think you need an Internet-connected toaster—if a device can be connected to the Internet, then it is.  

Computing capacity is so cheap, we can add it to any piece of hardware. This has phenomenal use when we start thinking about computing’s role in our daily lives (a toaster notwithstanding), in manufacturing, and in industrial control systems. Suddenly we can monitor and control anything and everything—from anywhere.  

Unfortunately, Internet-connected devices rarely have security integrated in them. As I perused the showroom floor at last year’s CES, I saw some amazing products, including an $8,000 beach umbrella that moves with the sun. But when I asked manufacturers how they secure their Internet-connected products and the data they collect, it quickly became clear that security is a secondary interest for these manufacturers, if it’s an interest at all.

Smart, But Not Secure

It’s important that consumers and manufacturers understand what’s at risk when devices are connected to the Internet. Often, when people consider security and IoT, they think about someone remotely accessing their Nest thermostat or smart refrigerator. Remote access is certainly a threat when it comes to medical devices. But that’s not a concern for the vast majority of consumers today. The security risk associated with most Internet-connected devices isn’t someone controlling the device itself. After all, what does an attacker have to gain from changing the temperature on your thermostat or refrigerator?

The security issue is that these devices all run on a single LAN—the same LAN your personal computing devices sit on. It’s relatively easy to hack an Internet-connected device to access other systems on the network and obtain sensitive data. An attacker could access confidential files off your office laptop, or obtain tax and other financial records from your personal desktop, simply by hacking the web cam you set up by the front door to prevent a home invasion.

Protecting IoT: It’s Up to You

The concept of herd immunity, which is used by cattle ranchers, illustrates how the majority can reduce the security risk associated with IoT for the whole. The concept of herd immunity basically states that when no cattle are immunized, disease spreads through the population. When some are immunized, disease spreads through some of the population. However, when most of the population is immunized, the spread of disease is constrained. The same concept can be applied to IoT.

IoT Security Recommendations:

1. Put your devices behind a firewall. Attackers can’t affect what they can’t touch. Devices should not be Internet-accessible unless absolutely necessary. A firewall is a starting point for being able to control access and stateful connection.
2. Patch your devices. Once a year, do an asset inventory to identify your Internet-connected devices. Then go to each manufacturer’s website and apply patches as needed.
3. Segregate your LAN. All IoT devices should be on their own VLAN with their own dummy email account, separate from your personal computing devices. A VLAN isn’t foolproof, but it will help deter attackers.

As for manufacturers, they should be held accountable for the devices they sell. They need to face consequences for failing to secure their products. Any Internet-connected device sold in the U.S. should have a bare minimum of lifecycle security support that includes vulnerability disclosure with minimum timelines for response and a secure patching procedure.

Unfortunately, manufacturers don’t currently have an incentive to change, and the burden is on us to solve the IoT security issue. But, fortunately, you don’t have to outrun the bear. You simply have to outrun the guy next to you. If the majority apply the three measures I described above to secure their devices, we’ll all be better off for it.

Source: Forbes