You’ve several IoT devices in your home and now you want to know how to secure your IoT devices? Here is some security best practices for IoT devices. Obviously, IoT security is not a thing that can be covered in only a blog post. So, we start a series of articles. I’ll try to mention about my experiences, as an IoT solutions architect.
Everything starts with default passwords
Default passwords are screwing up everything. Really.
Your device’s manufacturer company invests in security of devices, or the senior developer of the team works hard on security at the office, on Saturday night; instead of going out with friends. These all was only for the sake of your privacy. But you’ve received the IoT device/solution with a default password and left the password as is. And, you lose.
What the worse is that the problem is not solved with changing the IoT device’s password.
Let’s start with your internet modem, not the actual IoT device. If you can login your internet modem interface with Googling “brand + product code + default password”, someone can login your home network, so can access to the IoT device without need for the password itself. I mean, try to think from a bigger perspective. Even if you set strong passwords for several devices in your IoT fleet, one of them with default password can broke the security chain.
Who should be blamed?
Wait, why didn’t I change my password? Because noone pushed me!
You’re right. Can we blame the IoT solution developers? Totally yes. You’re the customer and how do you know that the changing the default password is somehow vital? Well, no over yet.
If the default password is a bad thing and needed to change immediately, well, why did they put that password to my device!?!
I’m not joking. The criticism here is; IoT and Smart Home guys are beating their chests while saying “Mainstream society doesn’t adopt smart homes/gadgets.” Please, don’t live in your own campus, think all of the world, try to empathize how will they approach your super smart gadget.
The point is, the company sells the IoT product and they are responsible for also the usage of the device. They should collect that data already. This is why we do IoT products: data. A typical consumer IoT company should keep track of the usage data if they don’t want to hear noises like “60% of their devices are potentially vulnerable because users are going on with default passwords.” Not only for these noises, actually they should benefit from that data to enhance their products, they should get feedback from it.
Next, we’ll go about physical security of IoT devices.
Please tell and discuss your ideas and thoughts about the passwords and responsibility on IoT on comments section.