IoT Ransomware Prevention
Congratulations! Your coffee pot is being held for ransom.
The Internet of Things, also known as IoT, refers to physical objects that are connected to and send data across the Internet. These devices are convenient and programmable. Things like smart fridges, thermostats, baby monitors, and security systems are convenient–but vulnerable to cyber attacks. A few weeks ago, a researcher was able to hack an Internet-connected coffee pot and hold it for ransom. If you have not seen the unbelievable video, you can view it here.
What if your thermostat was hijacked by cybercriminals and held for ransom? Criminals could turn off the heat in winter, causing pipes to freeze and burst. Or, they could turn off your AC in the summer, destroying equipment until you paid up. Like most of you, I love my IoT devices. They are wonderful when they work, but if my internet-connected washing machine was ever held for ransom, there could be big problems.
The bottom line is every new device that you bring into your home or office comes with a certain level of risk that needs to be addressed.
If you Connect it, Protect It
October is National Cybersecurity Awareness Month. This year’s theme is “Do Your Part. #BeCyberSmart,” with an emphasis on the concept, “If you connect it, protect it”
These security best practices for your home or office will help you protect data and prevent breaches in this era of internet-connected devices. We advise that you perform due diligence before purchasing any device and keep security in mind while using the device.
Best practices to prevent Malware on IoT devices
Conduct a mini risk assessment
Before buying any new Internet-connected device, put yourself in the shoes of a cyber professional by conducting a very short risk assessment:
- Research the device and its brand. Is it a well-known device and company?
- Check their reviews and reputation. Are they in the news for previous breaches? Even after you buy the device, be sure to keep an eye on the news.
- Do they regularly release patches and/or new firmware? Check the date of their last update.
- While reading reviews of the device, notice if users mention difficulty with changing settings, default credentials, or disabling insecure protocols.
Read the privacy statement
Most firms require that you accept the terms of their privacy statement, so be sure to read it carefully. Signing the terms may limit your options for a return should there be security issues.
The privacy statement will include things like what types of data they collect, how they store data, and how data is processed, as well as the type of encryption they use. Some Internet-connected devices have the option to create backups or use encryption.
Introduce the IoT device and have a recovery plan
When you introduce any new device into your home or work environment, be sure you have a recovery or contingency plan. This includes reading the instructions on how to perform a factory reset on the device. If a device becomes compromised or infected with malware, you may need to quickly restore it to factory settings.
Some Internet-connected devices now require you to contact the company to reset, making recovery more complicated. Be especially wary of novelty items that lack clear instructions, are difficult to use, do not disclose how they handle data, and lack a detailed privacy statement.
If you add a new device to your home environment, verify that your router and VPN are set up securely. Your router is the heart of your network. Double check your router settings and ensure you’re not still using the default configuration.
Use a different password on each Internet-connected device
Password manager tools help you keep track of passwords securely. If you use the same password for all of your devices, and threat actors compromise one device, it will be easier for them to compromise all of your devices. Also:
- Never use the same password(s) for both work and home devices.
- Use multi-factor authentication whenever available.
Deactivate your device
When you’re done with the device or preparing to sell it, be sure to deactivate it. If you no longer use the device, log in to the company’s website or portal to confirm that the device is offline, your credit card details are removed, and you are no longer attached to the specific device in any way. Confirm that your email and personal information are not within their data collection tools. Many folks tend to forget this step.
In fact, recently, one of my family members noticed charges from Xbox on his credit card even though he hadn’t used his account in years, and thought he had deactivated it. The cause? Xbox online was hacked several years ago, and his Xbox credentials were stolen and sold on the dark web.
National Cybersecurity Awareness Month
For more information about National Cybersecurity Awareness Month, you can visit their website here.
Matt Heffelfinger–"Heff" is preferred–is a Utah based cybersecurity professional and serves as SecurityMetrics Director of SIEM Operations. His primary wheelhouse includes leading the SecurityMetrics Security Operations Center (SOC) and Threat Intelligence Teams for multiple clients both in the USA and globally. With over 15 years of global cybersecurity experience, his career stops include Caesars Entertainment, TJX, Inc., General Electric, NBC Television and the Las Vegas Sands Corp.