The FBI has a rather interesting opinion on how users should approach IoT devices and their security. The takeaway? If you want to use it, you'd better know what you're doing -- and keep it off the Internet.
Last week, the law enforcement agency issued a public notice on the Internet of Things (IoT) and the opportunities therein for cybercrime. IoT devices, ranging from connected cars to smart fridges and home security systems, have one thing in common: connection to the Internet and data transfer in some way.
While it's true connecting a device to the Web forges a pathway which may lead a cybercriminal right to your door -- especially if default passwords are in place -- many issues relating to the security of IoT devices lies squarely on the shoulders of the vendor.
Once connected to the Web, over-the-air updates and security patches can be issued, but you often find IoT firmware is left out-of-date. Critical vulnerabilities are discovered in connected home products almost every week, often leading to a vendor scramble to fix security flaws.
This is something that vendors must get on top of. Connected devices -- whether it is a remotely unlocking car or a smart thermostat -- may look pretty and work well, but as IoT popularity increases, security can no longer be left on the sidelines.
The FBI's announcement did manage to get some things right by warning about risks associated with IoT. Exploits launched against the Universal Plug and Play protocol (UPnP) protocol can lead to remote attacks, default passwords which are not changed can be either found online or brute-forced to open access to a device and network, and other types of attack -- such as denial-of-service (DoS) salvos could lead to device overload.
Yes, there is a certain amount of responsibility users must take. When updates are available for your devices, you should update immediately -- as we see time and time again, outdated software often equals vulnerable software. However, it is one thing to remind users to update their software and another to place full security responsibility on their shoulders.
If possible, default passwords should be changed immediately -- although there are cases when vendors do not allow this to happen.
You can't expect every member of the general public to understand or have an interest in cybersecurity, it simply isn't going to happen. So, the FBI recommending that IoT devices be "isolated on their own protected networks" is madness -- although the recommendation to disable UPnP on routers is sound.
In addition, the FBI touched upon the medical profession, saying patients "should be informed about the capabilities of any medical devices prescribed for at-home use. If the device is capable of remote operation or transmission of data, it could be a target for a malicious actor." The bulletin says:
"Criminals can also gain access to unprotected devices used in home health care, such as those used to collect and transmit personal monitoring data or time-dispense medicines.
Once criminals have breached such devices, they have access to any personal or medical information stored on the devices and can possibly change the coding controlling the dispensing of medicines or health data collection. These devices may be at risk if they are capable of long-range connectivity."
According to the FBI, the general public should "be aware of the capabilities of the devices and appliances installed in their homes and businesses." However, the general public is not a group of security specialists, in the same manner medical professionals are not often trained in the security industry.
Perhaps the FBI's next public announcement should be related to vendor responsibility -- such as enforcing changes to IoT device default passwords at setup in an easy way -- rather than assumptions based on the technical capabilities and knowledge of the average household.