2019-09-01_TechLife

(Greg DeLong) #1

[WWW.TECHLIFE.NET] [ 099 ]


HELP

STATI

ON

SE

CU

RIN

G

SMART DEVI

CE

S

do change the password often use an insecure
one – like a dictionary word, number sequence
or simple phrase – and then go and use the
same password for every device.
The Mirai and VPNFilter outbreaks we
mentioned earlier? All these attacks really did is
try out the factory default password on millions
of connected devices and in doing so found a
rich vein of devices that never had their
passwords changed.
So, it is absolutely critical that for every
device that allows it, you need to check and
change the password from the default
immediately. Each device should have a good
password – that is a string of random numbers
and letters at least ten characters long – and
each device’s password should be unique (you
can guarantee: if a hacker cracks one device,
they’re going to try them all with the
same password).
This also applies to any cloud services
associated with devices. Many devices have a
linked cloud service; for example, IP cameras
will link to a cloud service that will allow you to
view their stream across the internet, while
NAS devices might link to a remote access
cloud service. First, you should disable any
cloud services that you don’t use; second, each
cloud service login should be unique.
Remember that these cloud services offer a way
past your firewall and into your home network
for attackers, and if one is compromised then
your entire network can be vulnerable.
Of course, no human can remember dozens


of strings of random numbers and letters, so it’s
pretty much essential to use a password
manager. You can use a cloud service like
LastPass (www.lastpass.com) or Dashlane
(www.dashlane.com) or one or several dozen
other options. If you’re not keen on a cloud
service for your passwords, we can recommend
KeePass (keepass.info), which keeps all
data local.

UPDATING THE FIRMWARE
The software that runs smart devices can be
and often is updated to add new features and,
more importantly, address security problems.
The frequency of such updates varies by device


  • NAS devices, for example tend to update quite
    frequently, while IP cameras or routers might
    update once every six months or so.
    Every few months you should run an audit
    on your smart devices to see if updates are
    available. In many cases they won’t update
    automatically and will require manual
    intervention from you to approve or initiate it.
    Log into the device’s settings and check
    for updates.


SETUP IMMEDIATELY AFTER CONNECTING
When they’re shipped, many smart devices
default to an open mode, designed to allow easy
setup. It’s only once the setup process is complete
that security is applied. So don’t plug a device in
and leave it for hours or days before you actually
get around to running the setup app. Have the
app ready to go and run it immediately.

CHANGING OR DISABLING VOICE
COMMANDS
Over in this month’s Home Networking
column, we talked about how you can use a
voice assistant to automate your home. This is
some really cool tech, but you do have to
consider the security implications. If you allow
your front or garage door’s smart lock to be
controlled by a voice command, what’s to stop
a criminal calling “Alexa, open the front
door”? If anybody can take control of your
devices with a voice command, then they
might be able to easily access private
information or trigger events that you don’t
want them to. There are even special kinds of
attacks called Dolphin Attacks, where
commands are hidden in the white noise on
YouTube and other streaming videos; you
can’t hear them, but your voice assistant can.
The automation tools provided by Amazon,
Apple and Google do allow you set custom
voice commands as well as turn them off.
Have a think about what you’re enabling
access to with just voice commands. Can
somebody access your calendar or GPS
information? Could you be accidentally (or
deliberately) recorded? Can they access a
smart lock, or enable or disable a camera?
Even more so than other smart devices,
voice assistants are a major attack vector,
especially when they’re given access to a lot of
information or control of other devices. So be
careful what you connect with them!

Change the password on all your devices.

Use a password manager like LastPass, for
goodness sake. Make sure the firmware is kept up to date.
Free download pdf