A casino was recently hacked via an IoT device (a thermometer) in its lobby fish tank. When hackers can co-opt a database of high rollers at a casino by fishing out data through the aquarium thermometer, it’s time to secure your IoT security loose ends. But where does one start?
Know what devices you have. IoT devices often enter the enterprise without IT support or setup, so understanding how to protect yourself must start with knowing what you’re protecting yourself from. Develop your list and have procedures in place to identify every new IoT device that comes onto your corporate systems. Did the hacked casino’s IT department even know about the fish tank thermometer and the potential for it to be hacked? You should.
Change default passwords. Devices are insecure when they’re left as is. Default passwords will be the very first attempts that a hacker will make on a device that may have been left accidentally unprotected. At the very least, change the password to something other than “password.”
Put IoT devices behind the firewall. IoT security dictates that devices shouldn’t directly connect to the internet, they should be behind your firewall. If they’re connected directly to the internet, you open up the potential for a hacker to use that direct connection to break through your firewall through the device. Most modern routers have built-in firewall capabilities, but avoid IoT devices that offer UPnP or P2P capabilities — or disable those capabilities; they add additional unnecessary risk.
Develop a plan to keep them up to date. Device vulnerabilities are found every day, so keeping your IoT devices up to date is of utmost importance. In addition to your plan for regularly checking to make sure your IoT devices are running the most up to date firmware and related software, regularly check with manufacturers of devices to make sure they’re still providing updates — IoT device markets are still relatively immature, there have been many examples of manufacturers going out of business, ending providing support, and being generally unreliable. Regularly check up on the IoT manufacturers whose devices are being run in your organization, and plan to retire any devices that are no longer receiving the support they need to stay secure.
A brave new world. It’s a brave new world that we’re living in when a huge organization can be hacked through a fish tank’s thermometer. In this new world, there is no reason to put your organization at risk, so follow these best practices and keep your devices and your organization protected.