What it is
The Internet of Things (IoT) is just another name for smart devices – anything that has built-in technology that means it can connect to the internet. For example:
- home security systems and camera
- smart watches
- voice controlled speakers
- some universal remotes.
How it works
Smart devices can connect to the internet, gather information and exchange data with other devices.
IoT devices either have a wireless chip that allows them to connect to WiFi, or they connect to your router via a cable. They collect data from their sensors, and use software to determine what to do next. In most cases, the IoT device will:
- connect to a central server, usually owned by the company who makes the device, to get more information
- compare and send data to other public websites and servers to collect information
- connect to a messaging server so it can email, text, or call you
- connect to other IoT devices on the same WiFi to tell them to do something.
For example, a smart refrigerator can scan the barcodes of any food items stored in it. It can then take this information and look it up on the internet to see when the items will spoil. Once it has this information it can send you email reminders to use the food before its expiry date.
Smart devices may contain:
- software that will need to be updated
- a wireless chip that can connect to your WiFi
- a microphone for voice commands
- a camera for recording or enabling movement commands
- a near field communication (NFC) chip to detect nearby cards, phones, or other devices
- Bluetooth to connect to nearby devices
- other sensors that detect motion, speed, humidity, health metrics, or other data.
The risks
Most IoT risks are to do with privacy and security. IoT devices, such as smart speakers and televisions, are like mini computers. They may contain vulnerabilities that allow attackers to:
- get personal information, such as usernames and passwords
- access banks and online shopping accounts
- gain control of devices to scare or manipulate users.
Not knowing what information is being collected
A smart speaker with voice activation is always listening, ready for you to ask it to do something. Most of the time, you can't tell what information is being recorded, and where those recordings are being sent. Sensory data, voice or video recordings, and personal information collected by smart devices can be leaked or stolen.
Software that loses support
IoT devices can fall out of support quickly, particularly less well-known ones. This means the device doesn’t get updated when the developer finds a problem. It could leave you with a smart device that is vulnerable to attack.
Insecure device configuration
WiFi and IoT devices may be configured so people on the internet can send them commands, instead of only the person who owns the device. This means an attacker could alter your IoT device and use it to attack others or to scare you. This is also called a bot or botnet.
How to protect yourself
The way you set up and use your IoT devices is important. Pay the same attention to the security of your IoT device as you do to the security of your phone and computer.
Decide if you really need the “smart” features
If you don’t need the features that use the internet, disable them. A smart refrigerator should still be able to keep your food cold, even if it can’t connect to the internet!
Keep software updated
Updates don't only bring new features and improvements, they also fix vulnerabilities that can be exploited by attackers. Most smart devices have settings that enable updates to take place automatically.
If the vendor no longer provides updates, you should consider getting a new device or disabling the smart features.
Change the default password
In the excitement of unboxing a shiny new device, it’s easy to forget that it comes with a default password that might be easily found on the internet. Change the default password to one that is unique and long, and store it in your password manager if you have one.
Put the devices on a separate WiFi network
Most WiFi routers can provide a 'guest' network that can be used to keep your laptop and mobile phone away from other devices you can’t control. Keeping your IoT devices on this guest network prevents them from communicating with your important devices.
Search for security reviews before purchasing
Most popular IoT devices have been reviewed by security professionals. You may also find that an IoT device you're about to buy just had a massive security issue. Doing a quick search before you buy can save you a lot of future stress
Get help
If you’ve experienced an online security issue, your first step is to contact the service provider.
You can also report an online issue or security incident to us at CERT NZ.