Why to avoid IoT in the workplace and at home

The Internet of Things, commonly referred to as IoT, is a new market popping up that boils down to the idea of connecting everything to the internet, even if it doesn’t need to be. The downside of these devices is that many of them are not secure out of the box and many more are unmaintained. Many of the devices that are showing up on market dont even have a good reason to be connected to the internet.

Exhibit 1: Juicero

Juicero is a cold press juicer, but you cant just put whatever you want into it like a normal juicer. No, you have to buy their prepackaged bags of fruits and vegetables. Even worse, if your internet cuts out it stops working. The only value add to connecting this thing to the internet is that if there was a recall on a package, the Juicero wouldn’t squeeze it. The good news is that if your internet fails, you can just squeeze the juice yourself.

But lets stop talking about how dumb these devices are. They are serious security problems waiting to happen, too.

Exhibit 2: JideTech Onvif 2.4 Wi-Fi Security Camera

Amazon has since taken this camera down from their store, hence the Internet Archive link. This is probably my favorite example and the one I bring up most often when talking about how badly insecure IoT is. This is one of the cameras that make the Mirai botnet the most powerful botnet in the world. Security guru Rob Graham tweeted about buying this camera and watching with WireShark as it was infected very soon after plugging it in. It is vulnerable out of the box and was never patched, hence why amazon stopped selling it. Video

So now we know that IoT devices are worthless and insecure, what about your privacy?

Exhibit 3: Pillsy

Pillsy is a bluetooth enabled pill bottle that reminds you to take your meds. The idea of sharing what medication you take, or how often you forget to take it is a terrible idea. I don’t even want to imagine how much money information like that is worth to health insurers.

 

This is an expansion on one of the topics in my article on tips for your employees on how to secure a home network.

 

Tips for your employees on how to secure a home network

It has become very common for employees to work from home using company laptops or by working remotely with a home computer. This change can be good for comfort and productivity, but a home network rarely ever reaches the same level of security as a business network. Here are some tips to reduce data risk at home.

  1. Keep everything updated
  2. Dont use IoT (Internet of Things) devices
  3. Use a VPN
  4. Use ad blocking addons
  5. Disable UPnP (Universal Plug and Play) on your router

Keep everything updated

Just because a vulnerability gets patched doesn’t mean that hackers are going to stop trying to use that method of attack. Rather, bad guys rely on victims to leave their electronics unpatched, and try older, still working exploits, even though there is already a fix available. Everything in your house that connected to the internet, weather through a wired or wireless connection should stay as up to date as possible, so that old methods of attack wont work against you.

 

Don’t use IoT devices

It is very common for IoT devices to be highly vulnerable. The most powerful botnet named Mirai is made up of internet connected security cameras designed for home use. If you were to plug a vulnerable camera into your home network, the camera could become infected in less than two minutes and start slurping up all of your internet bandwidth every time it is directed to attack a target. The camera can also be used to spy on you. Other IoT devices are known to have vulnerabilities that put your personal data at risk, such as this kids toy designed to record audio messages, but could be used to snoop on the house, and had no security what so ever on the storage of the recordings.

 

Use a VPN

Most security minded clients I’ve had have required employees who from outside of the office to connect to company resources using a VPN. Some industries are required by law to not allow access in to the network from the outside. A VPN allows users to bypass this restriction.

 

Use ad blocking addons

The Google Chrome and Mozilla Firefox browsers have many different addons that block advertisements. Personally I recommend uBlock Origin [Chrome | Firefox]. ad blockers are good because they clean up web pages and speed up the time it takes to load a web page, but my reason for recommending blockers is because advertisements can carry malware. Let me give you an anecdote from my time working in helpdesk:

We had a high number of calls coming in for users getting hit with ransomware and every time it was the same story. “I just opened up the internet and suddenly I had the virus!” Sometimes people would be searching for something business related and would click a bad link in a Google search. Once I saw a government site that had been compromised give a a user a virus. Sometimes people fess up and say they were browsing Facebook and they clicked a link they should not have. I thought it was strange that at the same time there was this big uptick in infections, so many people were giving the same lame unbelievable story. I did some research and it turns out they were telling the truth. All of the infected users were opening Internet Explorer, which would load the default MSN homepage where ads were being served though Microsoft’s Bing ad platform. Someone had purchased ad space that contained malicious code that, by simply loading the advertisement would cause the computer to download and run the ransomeware virus. Had the users been using ad blockers, these bad advertisements would not have loaded and would not have infected the computers.

 

Disable UPnP on your router

This one is a bit more technical. Universal Plug and Play (UPnP) is a utility that allows computers inside the network to open up ports on the router to send and receive information. Each port is used for a different service, such as browsing the web or sending files. Every port open is another potential security risk for your network. Some viruses require UPnP to function and to disable it would stop the virus from working.

Why certifications are valuable in IT

I made the decision before leaving high school that I did not want to go to college. As I knew that I was going into the tech industry I was already well aware of the downsides of getting a degree. A degree proves that you learned about both your trade as well as took classes in other fields to come out after four or so years with a well rounded education. After that, there is nothing. You pay an exuberant amount of money for degree with no future course, and possibly nothing that would prove that you are good at what you actually want to do. A computer science degree can get you helpdesk, maybe a sysadmin position, or something in management, but dont expect a degree to get you seated in a position working cryptoanalysis or offensive security.

On the other hand, certifications allow you to create a much longer road for your further education. you can start with simple certifications and move up towards proving that you are good at what you want to do. Two years of study for certifications is much less expensive than college, and gives you a longer list of accomplishments that are more specific to the dream job that you chase. The technology industry is changing rapidly, meaning that education becomes obsolete much faster than in many other sectors. a four year degree loses a lot of its value after a decade, but because of the ongoing nature of certifications, your knowledge, and proof of that knowledge is constantly updating and staying current.