FBI warns customers, get Internet of Things away from the Internet

A recent announcement issued by the Federal Bureau of Investigation warns customers that Internet of Things poses opportunities for cyber crime.

The FBI is worried by rapid diffusion of the Internet of Things devices, according law enforcement smart objects could represent a serious threat for cyber security, and more in general for the society.

Security experts are aware that Internet of Things could be abused cyber crooks for criminal activities and use principal vendors to adopt security by design in order to produce smart objects resilient to cyber attacks.

The FBI’s public service announcement, published on September 10, highlights that Internet of Things poses opportunities for cyber crime as explained in the following statement from the Bureau.

“As more businesses and homeowners use web-connected devices to enhance company efficiency or lifestyle conveniences, their connection to the Internet also increases the target space for malicious cyber actors. Similar to other computing devices, like computers or Smartphones, IoT devices also pose security risks to consumers. The FBI is warning companies and the general public to be aware of IoT vulnerabilities cybercriminals could exploit, and offers some tips on mitigating those cyber threats.” states the announcement.

The announcement has raised a heated discussion on the responsibility for the exploitation of such kind of devices, it seems that the FBI attributes the responsibility for the security of these devices on the consumer.

“Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it operate on a home network with a secured Wi-Fi router” states the announcement.

Recently we have discussed several flaws that could be exploited by attackers to conduct illegal activities. Crooks are able to exploit home routers, fridges and baby monitors to carry on illegal activities, crimes that could impact million of users worldwide. I wrote an interesting analysis, titled “How Hackers Violate Privacy and Security of the Smart Home” to explain how Internet of Things could be exploited to hack modern smart home.

Smart objects could be hacked in different ways and for different reasons, they could be affected by vulnerabilities such as the “UPnP vulnerabilities” recently discovered, or they could be simply poorly configured (e.g. adoption of unchanged default passwords)

Every Internet of Things devices is insecure if it is not properly deployed and configured, for this reason the FBI invites end-customers to get smart objects away from the Internet.

“Isolate IoT devices on their own protected networks” states the announcement in the section dedicated to the Consumer Protection and Defense Recommendations.

I personally consider very important the advisory issued by the FBI, but probably is is not so clear when dealing with attribution of responsibility. It is clear that we cannot pretend that every final customer becomes a Tech savvy, so we must improve the security by design making Internet of Things more reliable and resilient to cyber attacks.

Let me close with the recommendations for the customer’s securtiy included in the announcement:

• Isolate IoT devices on their own protected networks;
• Disable UPnP on routers;
• Consider whether IoT devices are ideal for their intended purpose;
• Purchase IoT devices from manufacturers with a track record of providing secure devices;
• When available, update IoT devices with security patches;
• Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it operate on a home network with a secured Wi-Fi router;
• Use current best practices when connecting IoT devices to wireless networks, and when connecting remotely to an IoT device;
• Patients should be informed about the capabilities of any medical devices prescribed for at-home use. If the device is capable of remote operation or transmission of data, it could be a target for a malicious actor;
• Ensure all default passwords are changed to strong passwords. Do not use the default password determined by the device manufacturer. Many default passwords can be easily located on the Internet. Do not use common words and simple phrases or passwords containing easily obtainable personal information, such as important dates or names of children or pets. If the device does not allow the capability to change the access password, ensure the device providing wireless Internet service has a strong password and uses strong encryption.

There is no time to waste, Internet of Things devices are already surrounding us, we must improve their security before hackers exploit them.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Internet of Things, cybercrime)