Securing IoT Devices

While many have come to rely on Internet of Things (IoT) devices for added efficiency and convenience, the devices are also entry points cybercriminals can use to violate your security and privacy. According to Symantec’s 2019 Internet Security Threat Report (ISTR 24), “IoT devices experience an average of 5,200 attacks per month. Routers and connected cameras were the main source of IoT attacks accounting for over 90 percent of activity.” Various IoT devices have been exploited: baby monitors; security cameras; smart locks; smart thermostats; even a fake web toaster. You must take steps to secure the smart devices and appliances connected to your home network, each other, and the internet.

Review the actions below to establish proper management and security of your IoT devices and protect your personal data.

Do Your Homework First

Devices, especially complicated ones, come with a lot of different features, many of which are turned on by default. Hopefully before you buy something research the security options for the device and think about which ones you need and which ones you can turn off.  For example: Does your fridge really need to be connected to the internet? Do you want copies of your doorbell’s videos automatically saved to the cloud? Other things to look for are:

  • How easy is it to change the default password?  Some devices don’t let you, which is a red flag.
  • Does the manufacturer talk about security on their website?
  • Do any of the reviews talk about the security features or security fails?
  • What benefits do you get if you connect the device to the internet?
  • Avoid devices with Peer-to-Peer (P2P) capabilities – these are particularly prone to vulnerabilities and are hard to secure.

Set a New Password

Generally, manufacturers program the same username and password into every device they sell.  This means that, if you keep the default password for your IoT device, anyone with Google access can look it up. So, step 1 is to change the password to something more complex. Be sure to follow passphrase requirements if your device stores or accesses any University data.

Set Up Multi-Factor Authentication

Most devices also now offer Multi-Factor Authentication (MFA) so if MFA is an option, you should take advantage of it.

Keep it Updated

Even the new gadget you’ve just unwrapped could have out-of-date software, so one of the first things you should do is check for updates.  You can usually do that in its user interface or website; it might even be part of the setup process. 

Then you need to keep it updated.  Some devices automatically update (set that as the default if you can), others will tell you when there are new updates - which you should install right away.  If it doesn’t do either of those things, check for updates at least every three months (more frequently when security really matters, like a smart door lock or doorbell camera or wireless router).  Also, if the device is doing something weird, or if your entire internet connection regularly slows down for no reason, that might be a sign of a security problem.  Try taking the device off the network and see if that helps with the problem. If it’s still acting weird, check for updates, then try resetting it.

Secure your router

Securing your home router is one of the most important steps to having a secure home network. Visit our Securing Home Wi-Fi article for more information.

Devices on campus

Keep in mind that any device you connect to the campus network must meet campus security requirements. This includes personal IoT devices. Some departments also restrict what can be connected to their network, so check with your department’s IT before connecting any personal IoT devices to the internal network. Finally, if you’re looking to purchase a new device for your department, work with your IT and Procurement Offices to make sure that it meets campus security requirements. And be sure to have clear guidelines on who is responsible for keeping the device up-to-date and secure.

Devices and research

IoT devices, from smart watches to internet enabled blood pressure monitors, can contribute valuable data to research. However, there’s potentially a lot of risk involved in using IoT devices to collect health data -- or sensitive information of any kind.  Make sure to talk with the IRB and OPHS as early in your planning process as possible.

Devices and HIPAA

Your smart speaker is always listening, so it’s not appropriate to have these devices in areas where privacy is expected. Also, don’t have private conversations or talk about any research subjects in front of it.  Similarly, any devices that may come into contact with personally identifiable information will need extra security measures (and possibly special contract language) in place.  For more information on HIPAA-compliant device use, contact: security@berkeley.edu.

Additional Resources:

-Co-authored by Andrea McColl, UCLA and Ronise Zenon, UC San Diego