How secure are the connected smart devices you keep in your home? How much protection have you put in place, and have you even taken a minute to change your default router password?
Computer says no
The truth is many smart home device users (and those running connected devices in smart offices, enterprises, manufacturing and beyond) may not yet have taken stock of their security.
This is a particular problem when it comes to older smart devices, many of which are still in use even though a large number of them shipped with weak or non-replaceable factory default passcodes.
The proliferation of poorly protected smart devices in conjunction with weak router security is a potential gold mine for hackers, who are eagerly attempting to crack into people’s IoT networks in order to create botnets for future use.
That’s alongside the inevitable threat that criminals will use poorly protected IoT devices as access points to penetrate networks, harvest personal and payment data, and more.
How HomeKit-approved routers will work
Apple’s promised HomeKit-enabled routers may improve protection.
You can see some screen shots of how this works here, while this report explains a little more concerning how this protection works.
In use, you’ll be able to assign each of your HomeKit devices security permissions as follows:
- Restrict to Home: HomeKit-enabled devices will only be able to speak with each other, which means you won’t be able to access them at all from outside your network.
- Automatic: Accessories can connect to the home router/hub, accessories around the home and approved services on the web.
- No Restrictions.
You set this preference up individually for each one of your HomeKit devices.
Apple is also introducing a HomeKit Secure Video service, which adds layers of protection around CCTV video.
Why does this matter?
To help understand the scale of the threat — and why Apple’s solution is so important — reflect on new Kaspersky research which tells us attacks against smart home devices climbed by around 700% in the last 12 months.
Using a network of decoy devices they found that while 12 million attacks originating from 69,000 IP addresses took place in the first half of 2018, the first half of 2019 saw 105 million attacks from 276,000 IP addresses.
The attacks are not particularly sophisticated, the researchers say. They observe that hackers are trying not to be noticed, which suggests they are building botnets, presumably for future DDoS attacks.
“As people become more and more surrounded by smart devices, we are witnessing how IoT attacks are intensifying.
Judging by the enlarged number of attacks and criminals’ persistency, we can say that IoT is a fruitful area for attackers that use even the most primitive methods, like guessing password and login combinations,” said Dan Demeter, security researcher at Kaspersky Lab.
What can you do to protect yourself?
While we wait for Apple and router companies to introduce these better protected routers, how can we protect ourselves?
Kaspersky advises us to take the time to check our existing security setups, warning that the most common security combinations in the field are appallingly easy to guess and crack.
“The most common combinations by far are usually “support/support”, followed by “admin/admin”, “default/default”,” they said,
Consumer and enterprise users of connected devices should take time to change default password settings to mitigate this.
There are other steps you can (and should) take:
- Install the latest firmware/security upgrades for all your connected devices.
- Use alphanumeric passcodes wherever you can.
- Reboot devices that seem to be acting strangely.
- Deploy firewalls and use a reputable VPN wherever possible.
- Consider creating second non-public networks for your older connected systems – that way while those older systems may be at risk your other devices will be less exposed to harm.
The problem with many of these protections is they are not necessarily trivial or accessible to every user, and that (I think) is how Apple’s HomeKit-approved router scheme will help people protect themselves a little more effectively.
When will these things ship?
The only problem being that at present we don’t know when these systems will ship.
I suspect there may be some unexpected challenges.
Recently announced delays in delivering some previously announced Catalina and iOS iCloud-related features (such as folder sharing in iCloud Drive) suggests tying together that last few pieces of Apple’s nascent HomeKit security model may have hit turbulent, unless this is being held back by potential plans to introduce another product designed to work within such an ecosystem.
Signing off, no matter what computing platforms you run, you should most certainly take control of your existing smart home security set-up. Change your passwords, update the firmware, and make sure your routers are secure.
Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.