By Simon Rice, Group Manager for Technology.
Is this creepy website live-streaming YOUR living room? That was the Daily Mail headline in 2014, highlighting a Russian website that was providing links to access internet-connected cameras around the world.
The story was prompted by an ICO blog that had warned that the website had been able to access webcams, CCTV and baby monitor cameras because they had not been made sufficiently secure.
But two years later we are still seeing the same mistakes, with people not keeping their devices secure, and manufacturers not incorporating adequate security into products.
This means Internet of Things products such as baby monitors, music systems and photo or document storage, which can be accessed online, are at risk of revealing your personal details to other people.
A lack of security when it comes to IoT devices could mean that a search engine is used by criminals to locate vulnerable devices and then gain access to them or others on your home network. An attacker could then use your equipment to mount attacks on others or take your personal data to commit identity fraud.
We’re continuing to work with manufacturers about what they can do, but individuals need to play their part too. The public must act to protect themselves and their families when using these devices. If they don’t they could find their personal files easily accessible by popular search engines, casual browsing or more determined attackers. If you wouldn’t leave your house unlocked then make sure your digital home is equally secure.
People using IoT devices should consider the following:
1. Research the security of a product before buying
Good research before buying a connected device will allow you to recognise the ones with poor security implementations. You should also look to see how a product will be updated in the future if a security issue is identified. As an example, some smartphones have never, and will never, receive security fixes.
If consumers reject the products that won’t protect them, the developers should get the message quicker.
2. Is your router secure?
This will be your first line of defence on the perimeter of your home network. If you’ve installed a device in your home and connected it to your network, the default settings of your router might be exposing it to the internet and therefore everyone else connected to the internet.
This is necessary if you want to access that device from outside of your home but whilst some devices require some form of password protection, others either do not or they use a default (and potentially discoverable) password. Where no protection is in place, your personal files could suddenly become available on popular search engines.
3. Change passwords and usernames from default
The default password protection will only guard against casual observers. Default credentials for many devices are freely available on the internet and can be located with ease. You should always change passwords from the defaults and choose a suitably strong password. You should also use a different password for each account and device. This might sound complicated but if you are using a smartphone app to access the device this might be able to keep you logged in, meaning you don’t have to enter it each time.
4. Known security vulnerabilities
Check the manufacturers’ website to see if there have been any updates which address known security vulnerabilities and install updates in a timely manner. This includes your router. But be warned, updating the firmware of an IoT device can overwrite the data or settings so check the manual and make sure you have a backup.
5. Take your time
Don’t just plug your device in and skip as much of the set-up process as you can. Take time to read the manual and familiarise yourself with the security and privacy options available to you.
6. If there’s a two-step identification option – use it
Two-step authentication offers you an additional layer of security when logging in to an online service.
Whilst few devices will offer this service, the website you use to view the data might. It often works by asking you an additional security question, or by sending a code to your mobile phone or email account that you must enter during the login process. Sometimes you can have a separate device which generates these codes.
Using two-step or two-factor authentication means that if your username and password are compromised, a criminal cannot gain access to your account data without also compromising your mobile phone or code generator. Therefore if you have this option turned on, your information has a much greater chance of remaining secure.
|Simon Rice is the Group Manager for the Technology team, which provides technical expertise to all ICO departments in order to support the broad range of activities undertaken by the ICO.|