The Internet of Things (IoT) refers to objects and devices which are connected to a network such as the internet and which use the network to communicate with each other or make information available.
In general, these are sensors/actuators and control elements that are often controlled via a cloud-based application.
These devices can be things such as smart network speakers (digital assistants), intelligent light switches, ovens/fridges, smart TVs, etc., which are connected to the internet either directly or via a network interface.
Many of these intelligent devices require an internet connection to function properly. This increases not only the number of communication participants in the internet, but also the number of vulnerable devices that can be misused by hackers. These devices are then used to send spam emails, for instance, or to carry out attacks on other internet users (e.g. DDoS attacks).
Consequently, these devices must be both protected (using individual passwords, restricted access) and regularly updated. Updates should be performed as soon as critical vulnerabilities in device software which could be exploited by hackers are discovered. Unlike in the case of a computer or smartphone, however, hardly anyone remembers that intelligent light switches and refrigerators might also require software updates.
Objects and devices, which can be accessed via the internet can be found by anyone (e.g. using a port scan or a search engine like Shodan). An even greater potential threat is posed when using standard access data (username and password).
Preventive measures
To prevent your intelligent light switch, digital assistant or other IoT device from being misused by hackers, the NCSC recommends the following preventive measures:
Before you buy network-enabled objects or devices or install them in your home, find out about their IT security precautions:
- How often are software updates issued?
- Are they downloaded automatically, or does the user have to do something? How does the user find out that an update is available?
- Can the device be accessed via the internet?
- What protection mechanisms does the device have to prevent unauthorised access? Does the device's operating system support access via a secure connection like SSH or HTTPS?
- Can the default credentials provided by the manufacturer (username/password) be changed?
Make sure that the device cannot be accessed via the internet unless this is necessary for its operation (e.g. use a firewall or separate network not connected to the internet).
If the device has to be reachable via the internet (e.g. because information is provided to it via the internet), we recommend the following measures:
- Set up a separate network segment for your networked devices that does not have access to your personal data (computer, NAS, etc.). The devices can then communicate only with the internet, but not with your internal network. Many modern routers now support this approach. This helps you ensure that your internal network cannot be attacked via one of your IoT devices.
- Restrict access from the internet to the device, for instance by using an IP address filter (which permits only certain IP addresses to access the device) or by using a GeoIP filter (which restricts access to the device to Swiss IP addresses, for example).
- Use only protocols that permit a secure connection, such as SSH and HTTPS. Never use text-based protocols like Telnet or HTTP.
- Do not use standard ports (e.g. 23 – Telnet, 443 – HTTPS, etc.), because otherwise your device can be found using a simple port scan. Instead, use a high port (e.g. 2323 instead of 23, 43443 instead of 443, etc.) to make it more difficult to find the device.
Do not use default credentials (username, password). These standard settings are widely known and can be used easily by hackers. Change the username and password of the device immediately when you set it up.
Use a complex password (at least 12 characters, including numbers, letters and special characters).
Whenever possible, use a second factor for authentication (e.g. SMS, Google Authenticator, hardware token, etc.).
If you no longer need a device, disconnect it from the network or internet.
Deactivate your router's UPnP (Universal Plug and Play) function. Ask your internet service provider or router supplier about configuration options, as well as about functional limitations and any other unintended consequences this measure may trigger.
Measures to be taken after a successful attack
If you have already fallen victim to an attack on a networked device, we recommend performing a factory reset. After the factory reset, we recommend that you read and implement the points described under "Preventive measures", in order to avoid being compromised again.
You can find information on factory resets in the operating instructions on the manufacturer's website.
