Top Ten Checklist for Buying, Then Securing, Your IoT Devices
Before buying that first wireless thermostat or connected watch, make sure you're smart as well, particularly around IoT security. With consumer adoption of connected technology skyrocketing, so too will safety issues. Here are ten questions to ask before making your first purchase.
- How good is customer support? A solid, well-supported brand should be able to give timely answers to your questions by e-mail, social media or telephone. Are there complaints about not being able to reach a company? Not being able to get fast support is trouble right off the bat.
- Has the manufacturer suffered any data breaches? A search on the web can help you here, says Tony Anscombe, security evangelist for the Amsterdam, Netherlands-based online security company AVG Technologies. He says consumers should pay attention to whether a firm has suffered a breach, if they informed their customers — and how long they took to fix the problem.
- What are the device's vulnerabilities and how are they fixed? For this a consumer should check industry and government websites, says Jerry Irvine, a member of the U.S. Chamber of Commerce Cyber Security Leadership Council and Chief Information Officer for Prescient Solutions, a Chicago-based IT outsourcer. “There will be vulnerabilities and there will be ways that companies say 'this is a risk but here's how you overcome it,'" Irvine says.
- Can the device be accessed by someone other than you? The manufacturer should have the answer. Consumers must be able to control access to their device, and able to change its default settings, says Tim Erlin, director of IT security and risk strategy for Tripwire, a Portland, Oregon security software seller. If not, that's a warning to avoid.
- Does the manufacturer put out automatic updates to the device? This should also be easy to find out by contacting the manufacturer. If not, that's a red flag. “An out of date system is almost always vulnerable to attack," says Tripwire's Ken Westin, a senior security analyst. Buyers should ensure firmware, the permanent software that controls a device, also automatically updates.
- Is the Wi-Fi network that connects to your device secure? Even if the device checks out, you also need to batten down the hatch at home. Tripwire's Westin suggests using the WPA2 encryption option on your router. And Joe Liu, CEO of MivaTek suggests an additional hardware firewall with anti-hacking software for your Wi-Fi can create the safest video privacy situation.
- How many open ports does the device have or require? Again, ask the manufacturer, says Robert Siciliano, CEO of IDTheftSecurity.com and an identity theft expert. Basically, the more open ports, the more ways malware can get into your device. The short answer is the fewer the better. So, check. Even still, says AVG's Anscombe, antivirus software will be needed to block phishing sites.
- Does the device encrypt stored data? The device maker will answer this — if not, that's troublesome. Should you forget your smartwatch in a cab, you don't want someone else downloading your details. Ask.
- How does the device signal that the batteries need changing? “Any manufacturer worth their salt will provide some level of notification whether in a pop up or an LED light or an audible tone alerting to power failures and or battery drain or battery life," says Siciliano.
- Finally, what data does the device collect and for what reasons? Even Porsche raised this question when picking Apple CarPlay over Android Auto, claiming they didn't want to share the data on their vehicles with Google. You're also going to want to know if your smartwatch or smart thermostat is downloading, and storing your information. Data on one connected device can easily flow to another, says AVG's Anscombe.
Pay attention to the product's privacy policies and ensure that the terms and conditions are clearly spelled out, “particularly those that have a cloud-based service behind them," says Tripwire's Westin. Ultimately, you'll want to avoid devices that collect data from vendors that don't mention data security and privacy, says Tripwire's Erlin, who adds that the best one's make protection a priority.