The News:

The advent of smart hubs, wireless routers, and a plethora of consumer-grade internet-controllable devices has created a dangerous situation for both customers and telecommunications companies. Many of the Internet of Things (IoT) devices connected to home networks are equipped with little or no network security controls, leaving the users, their home networks, and even the broader internet community vulnerable to attack. Identifying the types of devices and security protocols that are particularly vulnerable, telecommunications providers can educate their customers on these dangers, strengthen the security around their network endpoints, and even generate incremental revenue through the sale of network-safe devices. Most importantly, they can improve their users’ overall customer experience, and elevate their role from vendor to trusted advisor.

Educating Customers About Home IoT Network Security

Analyst Take:

Most IoT devices shipped from the factory are inherently vulnerable to attack, and as a greater number of novelty devices include IoT connectivity, consumers must take the proper steps to secure these devices and their networks, to protect themselves and other users from malware, viruses, and other security intrusions.

Indeed, hackers can utilize techniques known as sniffing and encryption cracking to intrude into a home network. With sniffing, hackers hijack any packet of data transmitted between an IoT device and a router, transfer it onto their device, and use brute force to decipher it, often in only seconds or minutes. This can lead to hackers remotely controlling smart lights and thermostats, smart TVs, and other appliances, unlocking IoT-enabled exterior doors and garage doors, and remotely turning on and accessing video from smart cameras. Further, if these IoT devices are connected to the same internal home network as laptops or computers, it may be possible to intercept and steal sensitive data, such as personal data, financial information, and anything else stored on the network if secondary security measures have not been deployed.

Personal Data Can Be at Risk on Home IoT Networks

Data that is stored on devices connected to an unsecured or vulnerable home IoT network can be at risk of being stolen, and then used for identity theft and fraudulent transactions. In addition, smart devices that contain personal data, including seemingly innocuous devices such as servers containing music or photos, can also contain data that provides a physical trail of users’ whereabouts, thanks to geolocation data and purchasing data. Savvy hackers can identify behavior patterns or correlate this data with other personal information to create a virtual profile of an individual, which may leave the user vulnerable to not only digital crimes, but physical ones as well (such as ascertaining when the user is away from home, leaving them vulnerable to a burglary).

Relinquishing Device Control to Hackers

Smart devices without the adequate security controls enabled can also be hijacked, surrendering control to an attacker, letting them manipulate the device and spoof the communication between two ends, which could also result in control over the entire home network. In addition to nuisance issues (such as turning up a thermostat too high), an attacker could unlock connected doors, shut off security cameras, or even potentially disable connected alarms.

Identifying the Risks with Connected Devices and Unsecured Networks

Two major flaws in connected homes make them susceptible to these attacks, including weak IoT-enabled devices and unsecured and vulnerable local networks. Smart home devices can be particularly vulnerable to attacks because they are special-purpose devices, and many of these vendors fail to provide the required special-purpose security solutions. In addition, these devices often use operating systems such as INTEGRITY, Contiki, FreeRTOS, and VxWorks, whose security solutions are neither as robust as those of Windows or Linux-based systems, nor can security defenses be updated to manage the evolving cyberattack techniques and tools.

Similarly, many users implement local home networks without implementation of the proper security protocols. Wi-Fi networks can be vulnerable to attack due to the use of default or weak SSIDs, the use of default or simple passwords, and weak encryption protocols. Failing to update credentials from the default settings is the digital equivalent of leaving a home’s front door wide open with a sign that says, “Help yourself to everything inside.”

Whenever possible, users should use Wi-Fi Protected Access (WPA) security protocol, or WPA2, the second-generation of the protocol, to connect devices to the router. WPA and WPA 2 are more secure than the weaker Wired Equivalent Privacy (WEP) protocol often set as the default protocol on many devices. If the devices a user wants to connect do not support WPA or WPA2, they should not be used, or should only be connected to a wireless network that is not linked to a network that is connected to IoT-connected computers, doors, lights, thermostats, or appliances.

Users should also enable two-factor authentication, where a device requires an additional verification via a mobile or authenticator app, which significantly reduces the ability of hackers to manipulate devices. Firewalls can be used to segment non-critical IoT devices from critical ones, and let the user manage the security level of individual connected devices. Firewalls can also be configured to send notifications to the host when any anomalies in the network or devices are detected.

Finally, it is important to periodically check and update the firmware of routers and IoT devices to ensure the latest security protocols are active.

Telecommunications Service Providers Should Take the Lead with IoT Device Education

As telecommunications providers often provide the hubs or routers used to connect these devices in the home, they are in a unique position to serve as a trusted authority on IoT home security. They can provide education around the devices to watch out for (largely novelty items such as string lights, or inexpensive gadgets or appliances that do not include on-device security protocols).

Telecommunications companies can also provide explainer tutorials on how to set up and configure their home networks to be as secure as possible, and should also provide a way for customers to easily get help from a virtual assistant or live technical support representative if they have an issue or additional questions. Finally, communications services companies can potentially add incremental revenue through the sale of vetted IoT devices that employ the proper security controls.

These final two steps are opportunities to not only help secure the homeowner’s network (and prevent intrusions that could, in theory, help spread malware and viruses around the web as a whole), but also improve engagement with customers and demonstrate that the telecommunications provider is a trusted advisor and resource.

Author Information

Keith Kirkpatrick

Keith has over 25 years of experience in research, marketing, and consulting-based fields.

He has authored in-depth reports and market forecast studies covering artificial intelligence, biometrics, data analytics, robotics, high performance computing, and quantum computing, with a specific focus on the use of these technologies within large enterprise organizations and SMBs. He has also established strong working relationships with the international technology vendor community and is a frequent speaker at industry conferences and events.

In his career as a financial and technology journalist he has written for national and trade publications, including BusinessWeek, CNBC.com, Investment Dealers’ Digest, The Red Herring, The Communications of the ACM, and Mobile Computing & Communications, among others.

He is a member of the Association of Independent Information Professionals (AIIP).

Keith holds dual Bachelor of Arts degrees in Magazine Journalism and Sociology from Syracuse University.

Dynatrace's Hypermodal AI: Revolutionizing Observability and Security in the Digital Age

Steven Dickens, VP & Practice Leader at The Futurum Group shares his insights on the Dynatrace’s announcement of its Hypermodal AI capability, which is designed to improve observability and security in the digital age. By combining predictive, causal, and generative AI insights, Dynatrace Davis empowers businesses to automate issue identification and resolution, gain comprehensive security insights, and drive innovative improvements across their operations.