In a July 6 post, I discussed the explosive growth of internet-of-things (IoT) devices in the consumer market. I expressed my concerns about how poor security practices with those devices could allow criminals to use them as gateways for fraudulent activity. At a recent technology event for Atlanta Fed employees, Ian Perry-Okpara of the Atlanta Fed’s Information Security Department led an information session on better ways to safeguard IoT devices against unauthorized access and usage. Ian and I have collaborated to provide some suggestions for you to secure your IoT device.
Prepurchase
- Visit the manufacturer's website and get specific product information regarding security and privacy features. Is encryption being used and, if so, what level? What data is being collected, where and how long is it being stored, and is it shared with any other party? Does the product have firmware that you can update? Does it have a changeable password? (You should avoid devices that cannot receive updates or have their passwords changed.) What IoT standards have been adopted?
- Check with reliable product review sites to see what others have to say about the product’s security features.
- If your home network router supports a secondary "guest" network, create one for your IoT devices to separate them from your more secure devices such as desktop and laptop computers and printers.
Postpurchase
- Especially if your device is used or refurbished or was a display model, immediately perform a factory reset if it’s equipped that way in case someone has modified the settings.
- Download the most recent firmware available for the device. Often, a newer firmware will become available during the period the merchant held the device.
- Use strong password techniques and change the user ID and password from the factory settings. Use different passwords for each one of your IoT devices.
- Register your device with the manufacturer to be notified of security updates or recalls.
- Add the device to your separate network if available.
If you adopt these suggestions, you will have a secure IoT network that will minimize your risk of attack. Criminals will be much less able to take over your IoT devices for bot attacks or for going through them to gain entry into other devices on your home network. You do not want the criminals to get at personal information like your credentials to your financial services applications.
We hope this information will be helpful. If you have other suggestions to better secure your IoT devices, we certainly would like to hear from you.
By Ian Perry-Okpara, an information security architect in the Information Security Department at the Atlanta Fed
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed