Thinking Security: Are You Being “Smart”?

This is the 42nd blog in a series about security and how security is about how you think.

Many homes have received an upgrade lately with additional devices boughtor received – new “smart” TVs, “smart” phones, “smart” virtual assistants and even “smart” locks and garage doors, which allow you to control who can come into your home from your “smart” phone.

But do those devices make you “smart”? Or only if you know what you’re doing?

Each one of them was designed, manufactured and implemented by a different group of people, sometimes even within the same company. Each device came with an installation manual and a default configuration (which, while it may or may not be the most secure, may be the configuration that satisfies the most clients). When you turn on the device and connect it to your network, you have to agree to a few screens of legal jargon. Do you actually read them? Do you know what data it’s sending into the company for “increased diagnostics”? Are you being “smart” using it?

One example of such a device is a voice controlled smart assistant, whether it be a remote or the actual television. When you say something, is the device always listening? Even if you have to say an “alert” phrase, what does it do with the rest of the data? And even more importantly, does it send that data back to the company so that it can better assist you or even to do analytics about you and your family?

But there is another side to all of these “smart” devices – when do they get updated? When do you check for the next firmware or module – and how do you know it’s available? “Hey, device, check for updates?” I don’t think that command works on most “smart” devices.

Also, what types of vulnerabilities to these devices have? Is your brand new “smart” lock where you can check your front walk from anywhere in the world also allowing anyone else the ability to check your front walk? Is your home firewall configured correctly so that other traffic can’t connect back into the “smart” lock from somewhere else (either intentionally or through a vulnerability) and unlock your door while you’re not home? Or get to other places within your home network?

The Mirai botnet started in 2016 by infecting popular Internet of Things (IoT) devices using well known (and published by the manufacturer) factory default usernames and passwords. The malware scanned the Internet for newly added devices and then tried to connect to them with a variety of techniques and credentials. If it succeeded, the malware infected the device and turned it into a “zombie” that could be controlled remotely and used to attack other systems (called Distributed Denial of Service, or DDoS, attacks).

One hopes that this revolution in malware spurred manufacturers to be more security-minded, but what about homeowners? Are they really “smart” about security – or is “Hey, it works” good enough?

You almost need a home IT and security department to ensure that your home’s network (and your data) is totally protected from attackers, botnets, and the Internet at large. It really comes down to how you “think” about security. Even within your home network, what devices can connect to (or “see”) to other devices? Which ones are “discoverable”? How often do you check the manufacturer’s website for a new version? Have you ever used a popular network sniffer (such as Wireshark) to look at your home network for what traffic is on it and what IP addresses (either IPv4 or IPv6) the devices on your home are connecting to? Does your home network have a “guest” network for guests or do you let them onto your normal network with all of your other devices?

The security of your home does rely on how you THINK about security. THINK about that the next time a commercial shows you a “smart” device and how it can make your life easier. Are you being “smart” about your home security?