Growing up, the first computer that my family owned was an Apple IIc. Purchased in 1985, that computer served me well until the end of my sophomore year in college when I moved to a generic i386-clone in order to do things like dialing into my engineering school’s VMScluster to do homework assignments (without sitting in the school’s computer lab…I’ve been doing remote work for a long time).
Since that time, I’ve enjoyed the progression of digital gadgets that I’ve owned. Everything from 14 pound laptops, to HP OmniGos (little less than half-way down the page), Pocket PCs, and my personal favorite among the legacy stuff was my Apple Newton MessagePad 110.
In that legacy world, the information behind those screens was largely immobile, i.e. you had to be where that device was in order to access what was on it, or bring one of a variety of extinct removable media form factors to get the bits and bytes from computer ‘A’ to computer ‘B’. That all began to change after we started attaching computers to telephone lines. BBS anyone? To bring it back to the present, we routinely and regularly access information from computers on the other side of the planet while sitting, standing, walking–hopefully not driving–or even flying from the comfort of wherever we choose.
The convergence of mobile phones, wireless networking, broadband connectivity and miniaturization brings us to today when we carry around highly connected supercomputers in our pockets, and even considerable computational power on our wrists. Plus, there are connected TVs, fridges, washers & dryers, automobiles, speakers, video cameras, baby monitors, vending machines, thermostats, light bulbs, security alarms, dog toys, and on and on. This Internet of Things (IoT) pulsates around us trafficking in sensitive and mundane information that is often related to each of us as individuals, e.g geo-location, steps taken, age, gender, medical vitals, last thing you bought, your reading list, other devices (people) in likely proximity.
So, with access to a rich set of (often personal) information and connectivity to a global public network, it’s reasonable to ask how to secure these devices? Call them whatever you will, IoT devices are still computers, so the fact that they vary in shape, size and functionality means that we secure them–and their associated data–in the same ways we do other computers.
Keep your IoT device software up to date. Software updates renew the value in devices by enhancing existing features and often adding new ones that weren’t available at the initial release date. The updates also address errors or bugs that lead to unexpected or undesirable behavior, including unauthorized access to information the devices store, process or transmit.
2. Strong authentication
At a minimum, your IoT devices should have a strong password. Better still is the use of multi-factor authentication (MFA) which is a combination of two or more credentials to validate an identity. Because of their limited interface and/or functionality, this will not always be an available option, but when it is, take advantage of it.
3. Limit access / limit sharing
Often times, IoT devices themselves don’t store information, but they are likely controlled by apps that are installed on other devices that store a lot of data–our phones. If the device wants access that you judge to be excessive, deny the permission request. Likewise, many devices have sharing features that can publish info to social media, so take care that it’s not unnecessarily announcing your location or that you’re away from home.
You might have seen the t-shirt / poster with the phrase “Encrypt like everyone is watching”. Slightly hyperbolic, but it’s a fair warning. When information needs to be stored and transmitted, it should be encrypted. Encryption is a reliable tool for keeping your information from people who shouldn’t have it. Do your research before purchasing an IoT device. If it stores information and doesn’t provide encryption, find a better product.
The pervasiveness of IoT adds some nuance to common security considerations, but if you’re not addressing the basics, you’re losing the game before you start.