Internet of Thieves, Part 2

In my previous post, Internet of Thieves, Part 1, I discussed the privacy and potential physical security issues around Internet of Things (IoT) automation systems.  If you haven’t read it yet, you may want to start there.  I mentioned my two main concerns with IoT: privacy and network security.  If impersonating you and getting into your life isn’t bad enough, I see the network security concern as a bigger threat, especially to businesses.

Cybersecurity concerns

IoT devices aren’t always designed with security in mind.  Some go to market quickly, focusing on features to gain market share and make shareholders happy.  Sadly, security is often low on the list of must-haves.  Being connected to the internet with limited protection, bad actors can get into these fairly easily.  Once in, they have easier access to other devices on your network including your personal and work computers.  We call this lateral movement.  You may not think your personal computer contains anything valuable, but I’d guess there’s a treasure trove of bank statements, medical records, insurance policies, not to mention the list of passwords you have stored in that super-secret file named Passwords.txt.

Your business is at risk too

If you have a job that allows you to work from home your work computer is also vulnerable to these hacks.  Many businesses use VPN and/or RDP technologies to provide access to corporate assets.  If a bad actor gained access to those, they would have access to your corporate network as well by using the same lateral movement techniques to infiltrate company computers.  Maybe you’re not as concerned about that, but your employer should be.  During the pandemic lockdowns of 2020, hackers learned that it’s easier to break into less-protected home networks first and use RDP and VPNs as a conduit into corporate networks.  As a result, attacks on home networks have increased significantly.

What you can do

For starters, if the device has a default user name and password, change them.  It’s easy enough to do a Google search for “default password.”  Beyond that, the network security concern is a little more involved and technical than the privacy concern.  On the less-technical side, see if your Wi-Fi router has a mode that isolates devices so they can’t see each other on the network.  This is a good step toward blocking the lateral movement I mentioned earlier.  Not all home routers will have this feature.  If yours does and you activate it, it can prevent your computer from seeing your printer.  So you may have to give some thought to whether you should do this.  Anything beyond this will require someone with networking experience and possibly some additional hardware or software.

If you are a work-from-homer, your employer may be willing to have their cybersecurity staff provide advice or services.  There’s a lot they can do to inexpensively secure home networks for business use, but these are not something non-technical people will want to attempt.

If you own a business, look into some of the newer technologies designed to protect your business while your employees work from home.  Technologies like Zero Trust Network Access (ZTNA) and Secure Access Service Edge (SASE) can enhance and extend your network’s secure borders beyond the office walls.  Managed Extended Detect and Respond (MXDR) services will also allow devices to be monitored for malicious behavior regardless of their location.