Day 4

Who's on My Network? IoT Security

DAY 4: Who's on My Network? IoT Security

Welcome to Day 4 of my 30 day security challenge, the month long challenge I created to help you gain control of your privacy and security online. You can follow along with the security challenge via my blog at snubsie.com, where you can skip ahead or download a checklist of the challenge. Each video will also be curated into a playlist so it'll be easy to follow along from Day 1 all the way through 30 here on Youtube.

Today we're going to figure out who's on our network, how to kick off any weird devices, and what devices should go on guest verses internal.

Log onto your admin interface for your router via the web browser again. To get there, type in the IP address which will be something like 192.168.1.1 or similar. Yesterday we talked about how to change all your settings on your router so you're more secure. Chances are, everything on your network now are things that should be on your network if you did change your SSID and passcode, plus your admin credentials yesterday. BUT, on the off chance that something snuck on that shouldn't be there, let's check out the clients list. Clients are any devices connected to your network - be it a smartphone, IoT device, computer, gaming console, whatever. You SHOULD be able to recognize everything on that list, but if there is still something weird there, you'll need to go back and change your settings again, following my advice from yesterday. That includes turning on WPA2, turning off WPS, and restricting access to your internal network to just your devices, not Internet of Things devices or friends that come over. Hopefully you didn't skip yesterday, cuz if ya did, this ain't gonna make a lot of sense.

Now check your client list again. See anything weird? Consider that some products may just list a model number instead of an easily understood name. If you suspect that weirdly named device is something you own, you can simply shut down that device, refresh the client list, and see if it disappeared. If it did, then you know you found your culprit. Easy!

Now let's choose what network all our items should go on. Hopefully you followed my advice and separated out IoT devices from your smartphone and laptop by creating that guest network. But let's dig deeper. IoT stands for Internet of Things. It includes connected appliances, connected cars, wearable technology, etc. Popular devices in the IoT category include the Nest Thermostat, Internet connected security cameras, connected Roomba Robots, connected pet feeders, Amazon's Echo, Google Home, your car (if it connects to the internet), a FitBit, even a Kindle e-reader could be considered IoT. The problem with IoT devices is that oftentimes they are built with convenience in mind instead of security. In a real world sense, you could equate this to leaving your front door open. It would be super convenient to just leave your door open, but you take the time to shut it and lock it because you want that security. We accept that additional labor because the security of our household beats the convenience of being lazy. IoT devices favor convenience by making our lives easier in one way or another. But they also oftentimes throw security out the window just so they're easier to use. That inevitably hurts us, when someone finds a backdoor or a vulnerability in that device, and wreaks havoc on our home network. Since these IoT devices aren't currently regulated by any authority for security, manufacturers can basically do whatever they want. Luckily, some care more about your security than others, but we also end up paying extra for those additional layers of security - so a lot of folks don't buy the more protected devices. Scary things is - as consumers, lots of times you won't even know if an IoT device has been hacked, because it might continue to work like normal without any knowledge that something has happened.

So take out that notepad or look through your client list on your router, and figure out what products are IoT, and which ones are not. If you question whether or not something is IoT, do yourself a favor and just list it as an internet of things device - just in case the security of that device totally sucks.

While you can't kick any of these items off your router via the client list, you can reset each item and stick them on your newly created guest network so they can't hurt anything inside your internal network if they ever do get hacked. This is going to take some time to do unless you can just open the devices smartphone app and do it via the apps interface, so take your time and be diligent. Trust me when I say it is worth it and this is a huge way to protect your computer and smartphone from attacks on internet of things devices.

Pro Tip: Now that you know which devices are IoT and which ones are not, consider logging into those IoT devices (if you can!) and changing the default username and password credentials for that device (again, if you can). You may want to write these down in that notepad, because you want to come up with different passwords and usernames for each device. We'll talk about how to store all these new passwords later on this month.

Even better yet - just disconnect the device. Does that Roomba vacuum REALLY need to be connected to the internet? Do you REALLY need to connect your refrigerator to the WiFi? No? Turn that stuff off. Seriously - no one can attack the device via the network if it's not on the network in the first place.

Make sure you update the firmware on any devices that are connected, and if you have an option to - turn off this thing called Universal Plug and Play. UPnP for short is used to help devices autoconnect, but it's also a vulnerability in some devices. If the option is there, turn it off. If the device has a cloud backup option, make sure their privacy policy says they use encryption. Even then, you can't be sure - you'd just be taking their word for it. So if you can live without cloud backups from the device, turn it off.

Lastly, if you wear or bring any devices with you to work, don't connect them to your works internal network. Ask if your job has a guest network that you can connect to instead, but make sure they constantly assess and audit the devices on the network so you are safe.

Keep that in mind for your home network too - continually audit your router settings and client lists to make sure they are still secure, updated, and private. Security is constantly changing, so it's important that you also stay up to date on any new firmware updates or devices on your network.

Day 4 is done! Phew! These two days were pretty long, but tomorrow's is pretty easy. Tomorrow I'll share how to set up auto updating, lock screens, and more for your important smartphones and computers. But first, make sure to subscribe on youtube and hit up snubsie.com for the downloadable checklist and to skip ahead on the 30 day security challenge. Again, I'm Shannon Morse and I'll see you tomorrow for day 5!