It’s in the fine print

Taking the example of the printer, features like ePrinting (social media & cloud printing), scanning to email & networks, wifi printing (from mobile devices) and remote management are all enabled by default, allowing buyers to quickly set up and use their new devices. These features could, on the other hand, present serious security issues.

Whether on a corporate or home network, modern smart printers gather information about their environment and even have their own management interface (operating system) as well as many other built-in services. Unfortunately, these features don’t offer the best security and can sometimes have known and/or publicly exploitable vulnerabilities. Combine vulnerabilities with access credentials/accounts and you’re in for a bad time if the device is exploited and used as a point of infiltration. To put this into perspective, dinosaur devices like dot-matrix printers typically have zippo smart capabilities, rendering them invisible and un-hackable in comparison to most modern devices. It’s for this very reason that dot-matrix printers are still used for special applications like printing salary slips (payroll) or other sensitive financial information in most banks.

Any device that connects to the internet or is ‘smart enabled’ is vulnerable to being targeted by threat actors. The best course of action is to apply the same logic to it as one would to a workstation or server. IOT devices are effectively no different. If an IOT device runs an operating system and/or speaks IP, it must be secured. Smart-enabled devices come shipped with the most permissive settings active by default and rely on the user or admin person to dial in their preferred configuration before use.

 

The following are some important points to consider and address from a security standpoint with IOT devices:

1. What is the default administrator username and password?
   • By default, manufacturers set basic, publicly disclosed usernames and passwords. Changing these defaults to something unique and secure is step one to enabling the security on any IOT device. Avoid names like admin, administrator, user, etc. and always set 8+ character passphrases which include numbers and symbols.
2. Is it running the latest available firmware?
   • Device firmware is installed by the manufacturer at their respective factory before shipping (like installing Windows on a PC). The manufacturer may have installed the latest firmware before shipping, but this may not hold true at the date of purchase. Compare the installed firmware on the device with the latest available firmware on the manufacturer’s website and always keep devices’ software up to date.
3. Which smart features are needed in my environment?
   • Out-the-box devices have all their smart features turned on for ease of access. Consult the user manual or manufacturer’s website for device features and disable any that are unnecessary or unneeded in order to help reduce potential risks. For example, if there are no Apple devices in your environment, features like Airprint or Airplay are basically irrelevant.
4. Does it have any security features and are they enabled?
   • Security features are normally set to the opposite of the smart features, i.e. off. If a device has any kind of integrated security functions, configure and enable them as best possible. Some manufacturers provide documents on the basic security settings to assist average users with these. Apply security settings in small batches of 2 to 4 at a time as it’s easier to diagnose the problem should a device feature suddenly stop working. Always test between changes to confirm that the desired outcome has been achieved.
5. How accessible is it from outside my network?
   • The more precise question here is “who can access my device and from where?”. If the previous points were addressed correctly, there’s less to worry about. Depending on the device’s functions and configuration, internet access may be a key feature. In this case, it’s important to have access controls in place for who and where they can access it from. If not, disable any internet-related features. Implementing restrictions on the network firewall is also a great way to protect and limit device access to the internal network.
6. Vulnerability scanning
   • Scanning for vulnerabilities can save many hours of wasted time and provide a great deal of peace of mind – provided nothing bad is detected, but even then, bad news should travel quickly (Bill Gates has always maintained this to his credit). It also provides key insights into any configuration mistakes, missing patches or security settings that may have been overlooked. This is done using vulnerability scanning tools like F-Secure Radar which is an accumulation of knowledge from security experts, multiple CVE databases and over 30 years of experience in cyber security. F-secure Radar identifies vulnerabilities, outdated software, misconfigurations, and more, and provides simple-to-understand solutions to help with remediation.

IOT vulnerabilities exist everywhere and with the growing number of IOT devices in the wild, security should be at the forefront of IOT development. Unfortunately, this is not always the case as it adds extra costs and time with the R&D for the manufacturer to develop secure devices. It’s important to understand, though, that the responsibility for sufficient security does not fall solely on the manufacturer but also the user/owner of such devices because at the end of the day it is the users and business owners who will suffer the most if security is compromised.

 

In the words of Robbie Sinclair, Head of Security, Country Energy, New South Wales, Australia: “Security is always excessive until it’s not enough.”