IoT Security And Your Network

What is IoT?

If you’re here you probably already know what IoT is so I’ll keep the intro short. The computer crowd loves acronymns. WWW is recognized by most. IoT stands for Internet of Things, and it refers to those sneaky little devices that want network access too, some of which we don’t want to speak out loud or they’ll start listening, and others you have to wonder…why? Alexa, Ring, Nest, the refrigerator, a coffee maker?

IoT devices can also be used in businesses for temperature sensors, tracking vehicle fleets, inventory status, and parking lot capacity, to name a few.

Isolate!

Ever met someone who cleans their room by stuffing everything in the nearby closet? You can do this with the IoT devices from a network perspective. Literally shoving them in a closet would remove them as a risk, it would also render them fairly useless. Unless you left them powered on, then you have potential overheating problems, fire hazard…I digress. The idea is sticking all the IoT devices on a separate network from the rest of your computers. The easiest way is to get a WiFi router with a Guest network, and connecting the IoT devices to that. Guest networks on routers are not allowed to talk to the other parts of the network. Think Great Wall of China, the Iron Curtain, the Berlin Wall.

Why Isolate?

IoT devices don’t typically fall into a centralized patch management program. They also don’t tend to patch often. The process can be manual. Some systems are moving to updating automatically with the manufacturer. (Outside the IoT realm, software that’s particularly vulnerable to attack like browsers have started moving this way.) IoT’s general lack of proper updating makes them a security risk to other devices they share the network space with. Isolating devices so they can’t talk to other systems isn’t a new idea but it’s a proven one.

WiFi routers with Guest network capabilities

Here are a few devices that have Guest WiFi technology built into them:

(Disclaimer: these are affiliate links)

IoT options for more complex networks

Ask what the device needs to talk to. The internet? An internal device? Other IoT devices? This will help you abstract where this IoT device fits into your network. To reduce the risk of damage an IoT device could do, and really this can apply to any network node, its about employing least privilege principles. Limit the device down to what it needs.

Remember Spaceballs? Lone Starr’s advice to Princess Vespa when they are abandoning the flying RV and venturing into the desert: Take only what you need to survive. IoT devices also don’t need a lot in terms of network access. Figuring out a design that’s minimal, isolating IoT devices so they can’t talk to higher risk items on the network, like a file server that’s critical for business, will reduce the risk.

If there’s a server the IoT devices needs to send alerts to, or send email through, only allow that one point of access. Your server may have other points of access: SQL, Web Server. Don’t forget if you’re letting the IoT device talk to this server carte blanche, it can talk to your server’s network listening application, your SQL install, your web page. Granted the IoT device may not have a password to login to these things but if it was controlled by someone with ill intentions they could use it to try and break past those defenses.

More complex WiFi devices allow for multiple WiFi SSID networks where you can craft rules allowing certain cross talk and blocking others. Ubiquity Unifi and Aerohive (now Extreme Networks) have this sort of capability. Research what works for your situation as mileage may vary by vendor. They can allow separate WiFi and VLAN capabilities to deploy a more broadly reaching set of WiFi networks while isolating the cross chatter at the router/firewall.

Automatic updating

I mentioned this problem above. If your IoT devices give you the option to auto-update or not, I’d recommend updating. Yes, this can potentially brick your device (turn it into the equivalent usefulness of a brick – a door stop) if the manufacturer update goes awry. But the alternate risk of an unsecured device on the network is much worse. At least a broken device can be replaced at a nominal cost. If your network is broken into there can be malware, ransomware, or network attacks launched from your network to elsewhere.

Secure cloud accounts managing IoT devices with 2FA

This may be an overlooked step in securing those IoT devices. You’ve locked down your network. The IoT devices can barely make a peep without running into a network filter. Yet with a large number of them talking to online services, all someone needs to do is break into your management account and they have now gained a level of access to your devices regardless. Now they can get at personal data, maybe camera footage, and more, without ever breaking into your network.

To try and avoid this problem check with your cloud provider security settings and turn on 2 factor authentication with your account.

Network monitoring

A last piece of advice for the more complex networks: put something in place to auto inventory your network. If you’re plugging in new devices frequently, or your network is larger than a few devices, having a system that scans for new devices and reports on it can be invaluable. Not only do you keep an eye out for new devices showing up unintended or put on the wrong network by accident (user error) even if the network is designed properly, you also get an awareness of old IoT devices forgotten about and abandoned.

Summary

IoT has exploded over the past few years. Multiple manufacturers, lack of standards. They are useful in some cases. But you have to wonder, when your toilet is online what you’re getting out of it. Creating an isolated network, auto-updating, network scanning, and maximizing cloud based account security is a good start.