ASU professor on the smart use of "smart" devices and how to protect personal data
“Alexa, what’s weather today?”
“Alexa, play some classical music from my library.”
“Alexa, order toothpaste.”
It’s an ordinary morning scene for some Americans. Many "smart" devices — such as Amazon's Echo, which uses the Alexa Voice Service — promise to make life simpler, and they connect to our home routers to provide immediate satisfaction.
However, many of these devices that aren’t traditional computers are left undefended. In fact, last week’s Distributed Denial of Service (DDoS) that prevented access to websites on Dyn, including Twitter, Netflix, PayPal and more, was in large part caused by unprotected devices that are part of the “Internet of Things.” So how can we be part of this new and exciting future while still ensuring our refrigerators aren’t contributing to a DDoS or other malicious use?
Gail-Joon Ahn, a professor of computer science and engineering and the director of the Global Security Initiative’s Center for Cybersecurity and Digital Forensics, discussed smart use of Internet of Things devices.
Question: What constitutes a “smart home”? Is it like a Bond lair, or less futuristic than that?
Answer: Smart homes don’t have to be fully automated or futuristic. Many of us have smart homes: cameras that help monitor home security, a set-top box giving you access to thousands of movies and TV shows at your fingertips, a thermostat that can provide personalized cooling and heating and can be controlled by a smartphone, a game console that can play video games with cyber friends you’ve never met, and wearable devices that can check current health stats and store the collected data in clouds to communicate with health professionals. When all these things are connected through the internet, we’ve built a network infrastructure we call the “Internet of Things.”
Q: Can the Internet of Things (IoT) be “weaponized”?
A: “Weaponized” may be too harsh a term, but devices connected to the IoT have been used heavily in large-scale DDoS events because they tend not to be well-defended. Last Friday, users across the U.S. experienced the effects of such a DDoS on Twitter and other websites, attributed greatly to IoT devices used as part of the network that floods the website’s server with illegitimate requests such that it cannot handle the traffic and becomes inaccessible to real users.
Cyber threats targeting IoT devices often rely on default credentials such as factory default or hard-coded usernames and passwords. The first reported IoT “botnet” devastated the security community because of its severity and the number of infected devices. This really confirms that the weakest link is human, and not technical.
Q: How can we protect our Internet of Things devices?
A: Many people still use a default username and password such as “admin” and “password” for their home routers, the central point of internet connection for all of your home devices. This lack of security can cause severe problems as hackers could take over your internet connection and use any unprotected device connected to the router, even refrigerators. Change your passwords! Obviously, a newly created username/password pair should be only be easy for you to remember, but not too simple so as to be susceptible to a password crack attempt. This goes for smart devices, too — remember to change the default credentials when you connect them to your router.
Also, I recommend avoiding SSID broadcasting and encourage leveraging MAC filtering with advanced security features such as Wi-Fi Protected Access (WPA).
Q: I know I should protect my credit-card numbers and personal information. Is there any other information I need to worry about?
A: Your devices are connected to the internet, and therefore connected to service providers who will leverage a digital asset that you generated: data. However, such data can be misused. As users of smart devices, we also need to manage our valuable data in a smart way. Please think twice before sending any personal information or data through your IoT devices, which might be accessible to unknown and unauthorized neighbors. Vulnerable devices can also share critical information with hackers: If your security cameras are compromised, hackers will know when you aren’t home; if your Xbox is compromised and you don’t vary your passwords, hackers may be able to use your password to get into valuable accounts; if your refrigerator has a camera to track when you’re low on milk, it could be programmed to take images of your family. Long story short: Change your passwords!
Top photo: Amazon Echo, courtesy of Amazon.com.