The Federal Bureau of Investigation is warning companies and the public to be aware of vulnerabilities that cybercriminals could exploit in connected devices, otherwise known as Internet of Things devices. We previously reported on what the Internet of Things is and some of its legal challenges. The Internet of Things is the universe of smart devices that connect to the internet or to one another. These devices have unique identifiers and the ability to automatically transfer data over a network on their own, without human interaction.
Some examples of such household devices include WiFi-connected home security systems, thermostats, cameras, smart appliances, lighting, and wearable technology. Others are medical devices, office equipment, and entertainment devices. Some industrial examples include smart grid utilities, patient monitoring, connected commercial vehicles, and smart buildings and factories.
Cybercriminals could attack these types of connected devices by hacking cameras to display live feeds, accessing or monitoring home and business networks, and hacking medical devices. They could also steal personal information, hijack devices to cause physical harm, spam out malicious emails, or interfere with business transactions.
The FBI highlights one particular technology that is intended primarily for residential networks, the Universal Plug and Play (UPnP) protocol. UPnP is a technology that allows a computer to talk to and learn about other devices automatically on a network. When connected to a network, UPnP devices automatically establish working configurations with other devices. The FBI warning notes that many routers include vulnerable implementations of UPnP.
The FBI offers these tips on mitigating cyber threats in connected (Internet of Things) devices:
- Isolate such devices on their own protected networks;
- Disable Universal Plug and Play on routers. You can find support directions on the internet for how to do this with your particular model of router;
- Purchase connect-capable devices from manufacturers with a track record of providing secure devices;
- Update devices with security patches;
- Be aware of the capabilities of devices and appliances. If a device comes with a default password or an open Wi-Fi connection, change the password and only allow it operate on a home network with a secured Wi-Fi router;
- Ensure that all default passwords are changed to strong passwords. Don’t use the default password determined by the device manufacturer. Don’t use common words and simple phrases or passwords containing easily obtainable personal information, such as important dates or names of children or pets. If the device does not allow you to change the access password, make sure that it has a strong password and uses strong encryption.
The legal risks for these kinds of attacks are many. A device owner could be potentially liable, or at least partially at fault, for physical harm to people on its premises. Stolen personal information could lead to more serious identity theft. Device malfunction or hijacking could leave the device owner responsible for property damage to that property or nearby property. A business whose device causes damage to others could face regulatory scrutiny, fines or litigation.