This holiday season, many individuals will be gifted a connected or Internet of Things (IoT) device – such as a smart TV, camera, home security system, gaming system, smartphone, tablet, or one of many household items that have become internet-capable in the last several years, such as doorbells, thermostats, coffee pots, refrigerators, toaster ovens, and even meat thermometers. Many of these devices lend a level of convenience to users by making controls available on the go via a smartphone app or website. While convenient, connected devices also transmit and store data and could be exploited by cyber threat actors to compromise networks, devices, or accounts. Compromised connected devices, combined with vulnerable home routers, increase the risk of cybercriminal activity and cyberattacks. Additionally, devices routinely connected to a home network can have further implications when subsequently connected to corporate networks and may introduce additional vulnerabilities and risks. Therefore, it is vital for users to employ cybersecurity best practices for the new gadgets they receive this holiday season and ensure devices and networks currently in use are properly secured.
Cybersecurity Best Practices for Connected Devices
Change the default password and use unique, complex passwords for all devices and accounts. Default passwords for devices and accounts can be used to gain unauthorized access. Unique passwords for each device and account prevent password reuse attacks, in which threat actors obtain your password for one account and use it to compromise an additional account using the same credentials.
Enable multi-factor authentication (MFA) where available. MFA is the use of two or more factors to authenticate to an account or service. This significantly reduces the risk of account compromise via credential theft in which your password has been exposed. Although MFA may seem like an inconvenient step in addition to account credentials, it is an important one to protect individual accounts and the community at large.
Keep devices updated. IoT devices often do not receive automatic security updates. Stay informed about publicly disclosed vulnerabilities and update devices, including firmware, to the latest versions to ensure they are patched against known vulnerabilities that threat actors could exploit to gain unauthorized access to your device or data. If a device is unable to receive updates from the vendor, consider not purchasing or discontinuing use of the device.
Check privacy and security settings. Check these settings to help manage your cyber risk and limit how and with whom you share information.
Cover and disconnect cameras when not in use. Cover or disconnect your camera when not in use to help prevent malware from taking control of your camera to spy on you and your surroundings. Additionally, when the camera is in use, ensure no sensitive information and images are visible.
Wi-Fi Network Security Recommendations
Change the router default username and password. Default router credentials are often publicly available and can be used to gain unauthorized access to your network.
Change the network name (SSID) and establish a complex password. Default SSIDs may give away the router’s model, which could provide threat actors with information necessary to obtain the router password (if using default credentials) or determine potential vulnerabilities that could be exploited. Use an obscure network name that cannot be easily associated with your identity or household and establish a password that is complex and difficult to guess.
Disable SSID broadcasting. This prevents unauthorized users from detecting your SSID or network name when searching for available wireless networks in their range to potentially connect to and engage in malicious activity. A user would need to know the network name to attempt to connect to the network.
Enable WPA3 with AES. Wi-Fi Protected Access versions 2 and 3 (WPA2/WPA3) are both recommended options for ensuring data on devices connected to the network is properly encrypted and secured. WPA and WEP are considered unsecure options and should be avoided.
Keep router firmware updated. Unlike software that provides automatic updates or prompts users to install updates, Wi-Fi router firmware needs to be manually downloaded and installed. Without firmware updates, routers may contain known vulnerabilities or use outdated encryption that could compromise the security of the network. When compromised, routers can become attack vectors that botnets use to launch attacks, such as distributed denial-of-service (DDOS) attacks.
Enable the router’s firewall. This will help prevent unauthorized access to the network and prevent malware from infecting devices.
Create separate networks for different devices. Creating separate Wi-Fi networks, or a guest network, for groups of devices with similar purposes or sensitivity can help prevent an entire network of devices from being compromised if a threat actor is able to gain unauthorized access to one device or network. For example, keep IoT devices on one network and mobile devices on another network.
Place the router in the center of your home. This placement provides the best coverage for the devices in your home while also making it less likely that the signal will be strong enough for someone outside your home to connect to your network.