FBI tells Jo(e) Sixpack to become an expert in IoT security
It's also accidentally written the syllabus for a 'Home IoT Network Engineer' course
Internet of Things users need to become sysadmins, America's Federal Bureau of Investigation says.
That's a summary of the Feds' blog post, published this week, in which the agency's Beth Anne Steele wrote that Things are best deployed on their own network, with an off-switch.
Steele's post offered a checklist explaining how consumers can best secure their stuff, including a suggestion to: “Isolate 'IoT' devices on their own protected networks” – which means you'll want a firewall between your broadband modem and the switch that connects the devices.
The checklist might reach beyond the capabilities of the average IoT buyer, who just wants to swipe the phone app to control their lights (because the wall is so far away), but on its own, that's a point worth making. So here's the full list, with El Reg commentary.
- FBI: Change default usernames and passwords. Many default passwords are collected and posted on the Internet. Do not use common words and simple phrases or passwords containing easily obtainable personal information, such as important dates or names of children or pets.
(El Reg: It's hard enough to get users to quit using pa55word. Also, how many people don't even realise there's an admin interface for their oven?)
- FBI: If you can't change the password on the device, make sure your wireless Internet service has a strong password and encryption.
(El Reg: Good advice for a sysadmin, perhaps a challenge for the punter, and isn't the FBI anti-encryption?)
- FBI: Invest in a secure router with robust security and authentication. Most routers will allow users to whitelist, or specify, which devices are authorised to connect to a local network.
(El Reg: Again, good advice for a sysadmin. MAC address filtering should be simple, but think of your own family and ask who you'd delegate it to. And then explain how this works for devices that do MAC address randomization.)
- FBI: Isolate “IoT” devices on their own protected networks.
(El Reg: See above regarding lack of skills. Also, imagine what it's going to be like explaining to punters that two DHCP servers on the same network is … difficult.)
- FBI: Turn devices off when not in use.
(El Reg: When is that? Most home Things require that they're always-on – think smart locks, for example.)
- FBI: Research your options when shopping for new “IoT” devices. When conducting research, use reputable Web sites that specialise in cyber security analysis and provide reviews on consumer products.
(El Reg: Where do we start with this one? Name us five such sites that punters would correctly judge as trustworthy.)
- FBI: Look for companies that offer firmware and software updates, and identify how and when these updates are provided.
(El Reg: And then pray that the company doesn't make its products obsolete by turning off the updates tap. And then contemplate whether the average users is really ready to figure out half-a-dozen different firmware update regimes.)
- FBI: Identify what data is collected and stored by the devices, including whether you can opt out of this collection, how long the data is stored, whether it is encrypted, and if the data is shared with a third party.
- FBI: Ensure all “IoT” devices are up to date and security patches are incorporated when available.
(El Reg: We couldn't agree more. How many unpatched routers are out there, again? Or Apache Spark implementations at credit reference agencies?)
The depressing thing is that every single item on this list is necessary and true, and nearly all of it is beyond the home user. It would, however, make a sound syllabus for some kind of certification, if anybody would study it, which they wouldn't.
The FBI promises its blog next week will be on Internet-connected toys. We can hardly wait. ®