You’ll shoot your eye out

In the movie A Christmas Story, Ralphie has one goal; To get as a Christmas present the “official Red Ryder carbine-action 200-shot range model air rifle.” Everyone who hears this responds with “You’ll shoot your eye out, kid.” Of course, the adults were projecting that in the hands of someone without experience and who was full of youthful exuberance, there was only one inevitable outcome. Unfortunately for Ralphie, they were right, pretty much.

BB guns are not all that useful but they can be fun. I had one. I didn’t shoot my eye out but it wasn’t because of good training. I never had any real instruction in its use and safety precautions, so I can’t say why nothing bad ever happened, but fortunately, it didn’t.

IoT devices are somewhat more useful than BB guns. They can entertain (Alexa, play the spa channel on SiriusXM). They can let us order things verbally. They can show us who is at the door and they can record what happens in and around our cars. What is not readily apparent when we consider these devices is the need for some safety instruction.

By their very nature, these devices require connectivity. For many applications, they need to be connected to our home networks. The fundamental connection to the internet is usually installed with reasonable security. I have AT&T, so my network is identified with a typical SSID similar to ATT49zH7. So far so good, because this does not offer any information to the curious. Unlike some SSIDs that I have seen like JonesFamily. Why tell some casual snoop your family name so they can start attacking your network?

The random password assigned is 12 characters and is somewhat complex. Also good. So now I have some basic protection. Next, we add IoT devices that connect to the outside world and they have next to no security. BAD MOVE. This is akin to shooting our eye out. We have created an easily exploited hole in our network. More so if we do use a password but we reuse one from some other account.

In my post about Ring doorbells earlier (Ding Dong, guess who?) I discussed the evils of password reuse as a  takeaway from a lot of bad press concerning Ring these days. Well, the beat goes on. Here is a sampling:

• A Data Leak Exposed The Personal Information Of Over 3,000 Ring Users
• We Tested Ring’s Security. It’s Awful
• Amazon used “security” to sell Ring doorbells, then blamed customers when hackers broke into them
• Ring’s Security Woes Cause Some Tech Review Sites to Rethink Glowing Endorsements

And on the more reasoned front:

• We’re not rescinding our recommendation of Ring’s cameras. Here’s why

Default passwords installed at the factory become known quickly. Bad actors use this data to scour the internet for devices that still have the default passwords. Remember, if you can check your video system at home from the internet, so can anyone else. If you left the default password, you are just inviting people with evil intent to get on your network.

This quote from the Tom’s Guide article cited above is something to keep in mind when considering the purchase of any device you will be attaching to your home network be it a TV, doorbell, nanny cam or other things:

Ring’s cameras aren’t inherently unsafe. You just need to know how to use them. 

I would like to say that statement was true of all devices but some are inherently unsafe. Some don’t allow you to change admin passwords. Some don’t tell you there is an admin password. Some don’t tell you how to set up good security with their device. Poor security is the current default setup for most devices. Don’t accept that.

As a consumer, you may be unaware of this situation due to a lack of documentation in the instructions. (You do read those don’t you?). Rest assured the bad guys know what is going on. As a consumer, you need to do your research. We all need to make security part of the feature set we want in devices. Beyond that consider:

• DO NOT buy devices that don’t implement 2FA.
• Create unique passwords for every IoT device. (Not to mention doing this for all your online accounts).
• Change default passwords immediately
• Find out if there is an admin password. If it exists, change it. If you can’t find out, DON’T buy the device.
• Consider putting all IoT devices on a separate network in your home. Most routers allow a ‘guest’ network. Consider taking advantage of that provision.

A poorly configured IoT device will shoot your security eye out. Be careful.  If you’re looking for assistance, give Ashton Technology Solutions a call, at 216 397-4080.