The WannaCry/Crypt attacks were a major wake-up call to the IT world that we are highly vulnerable when we’re careless. The ransomware attack should theoretically have failed, because the most recent Windows updates released a full month or two before the attack contained fixes which prevented WannaCry from working. So of course, in theory, everybody’s machines should’ve been updated with the latest security patches, rendering the attack useless, right?
Of course, in practice, a huge number of users – probably even a majority – do not update their Windows OS regularly. Either because they don’t know how, because they forgot, or because they’re too lazy. In the British National Health System and various corporations around Europe and Asia, their IT personnel may have forgotten or even been too lazy to ensure that their patches were up to date. And if they didn’t know how to patch, then they should clearly be shining balls at the bowling alley instead of working in IT. Anyway, WannaCry exploited this vulnerability and wreaked considerable havoc.
WannaCry was restricted to computers and servers. But what if such a virus were expanded to afflict – for instance – your smartphone? Your smart TV? Your computer inside your car, or in a home appliance? Where these devices are connected to the internet is called “the Internet of Things” – and you expose yourself to serious risk when your own Internet of Things (IoT) is left vulnerable.
As computer security expert Bruce Schneier recently opined:
Patching is how the computer industry maintains security in the face of rampant Internet insecurity. Microsoft, Apple and Google have teams of engineers who quickly write, test and distribute these patches, updates to the codes that fix vulnerabilities in software. Most people have set up their computers and phones to automatically apply these patches, and the whole thing works seamlessly. It isn’t a perfect system, but it’s the best we have.
But it is a system that’s going to fail in the “Internet of things”: everyday devices like smart speakers, household appliances, toys, lighting systems, even cars, that are connected to the web. Many of the embedded networked systems in these devices that will pervade our lives don’t have engineering teams on hand to write patches and may well last far longer than the companies that are supposed to keep the software safe from criminals. Some of them don’t even have the ability to be patched.
Fast forward five to 10 years, and the world is going to be filled with literally tens of billions of devices that hackers can attack. We’re going to see ransomware against our cars. Our digital video recorders and web cameras will be taken over by botnets. The data that these devices collect about us will be stolen and used to commit fraud. And we’re not going to be able to secure these devices.
Yikes! That sounds pretty scary. What I’ll say on the matter is this: where there are problems, people will find solutions. I’ll stay away from the long-term analysis of this outlook for now.
But how can we protect our own IoT in the present time? Good news: There are effective steps that you can take right now to begin locking down your IoT, steps which I highly encourage you to consider:
- Use WPA2 encryption on your home WiFi routers. Most routers are set up to use WPA2, as opposed to just WPA or WEP, by default. You should double-check anyway, just to be sure. If you use an older router, there is a possibility that it may have been set up with WEP or WPA. You want to make sure your encryption is as advanced as possible.
- Create strong passwords for your devices and internet. I’ve written an article on how to do this here.
- Use multiple SSIDs for your home. Consider this strategy: Use four different SSIDs – one for your private network consisting of computers, printers, or other devices relating to your computer, one for your other network-connected devices such as “smart” appliances, another for smartphone use only, and a final SSID for guest use only. This strategy isolates your devices (and users) from one another, aiding in the prevention of a hacker gaining access to your ENTIRE network and all devices therein.
- Use MAC filtering on your router. Unlike an IP address which is a purely logical construct, each hardware device itself has a unique MAC address. While there is such a thing as MAC spoofing, using a MAC filtering list on your router to allow only your own specific devices through is a valuable roadblock in locking out unwanted network visitors.
- Block or disconnect cameras and microphones on devices that you don’t need or don’t use. There are powerful hacking tools out there which can gain control of your recording devices and use them remotely, allowing someone to spy on you when you least expect it. That camera on the smart TV? While you watch TV, it might be watching you back. At the very least, cover up cameras or microphones if you don’t need them at all. Even a strip of Duct tape can do the job, although I’m sure you can find a more aesthetically pleasing solution.
- Simply don’t buy networked devices or appliances if you don’t need them. Don’t take me for an Internet Luddite; I’m not saying to flatly avoid networked devices. They can have some incredible capabilities which make them totally worth it. I’m just suggesting that when buying a new networked appliance or other device which does not necessarily NEED to be networked – say, a washing machine – take a moment and think through whether or not you really want that functionality. Be judicious in your decisions.
None of these are life-altering measures, yet can prevent hacking disaster which certainly could alter your life. Therefore, I strongly encourage you to consider this advice and take a proactive step toward securing your IoT. Your IoT is your kingdom, your castle… care for it wisely, your majesty.