IoT Devices Might Not Look Like a Computer, But They Can Be Just as Dangerous

Installing an IoT-ready security camera or outfitting a crucial production system with IoT technology can put a business in harm’s way. Learn about the security risks that IoT devices can pose and how to mitigate those risks.

On October 9, 2018, security researchers at SEC Consult revealed that millions of security cameras and other video surveillance equipment could be easily hijacked by cybercriminals. And just a few days later, numerous PlayStation 4 (PS4) owners reported that their gaming consoles were crashing after receiving a malicious message on them.

These events might seem unrelated, but they are the result of a common problem: inadequate security in devices that connect to the web, which are referred to as Internet of Things (IoT) devices. These devices connect to the Internet so that they can transmit and receive data. In some cases, products have IoT technology built into them, like security cameras and gaming consoles. In other cases, IoT technology is added to existing equipment or systems. For instance, IoT devices can be added to production processes and heating and cooling systems.

Companies are increasingly using IoT devices to monitor and control various elements in their businesses. However, many of them do not realize they need to protect those devices from cyberattacks. That’s because people usually envision computers and smartphones, not security cameras or thermostats, when thinking about cybersecurity.

Businesses taking advantage of IoT devices need to know about the security risks they can pose and how to mitigate those risks.

The Risks

IoT devices often have security vulnerabilities that make them easy targets for hackers. For example, the devices might ship with default passwords that are easy to crack or the manufacturers might issue firmware updates that are easy to spoof.

Sometimes, devices have multiple security issues. This is what the SEC Consult researchers found when they investigated the video surveillance equipment manufactured by Hangzhou Xiongmai Technology. They discovered that the company’s IoT-ready video surveillance devices have several vulnerabilities, many of which are related to a feature called the XMEye P2P Cloud.

Th XMEye feature enables device owners to view video feeds in a web browser or mobile app in real time. To take advantage of it, the owners have to create XMEye accounts. These accounts are riddled with problems, including:

  • All new accounts are admin accounts that have the default username of admin with no default password set. Device owners are not prompted to change the default username or add a password during the initial account setup process. Owners who do not change the username and add a password are leaving their accounts wide open to cyberattacks. Besides viewing video streams, hackers would be able to change the device’s configuration and issue firmware updates. Since Hangzhou Xiongmai Technology does not sign its firmware updates, cybercriminals could issue bogus updates that contain malware.
  • A second undocumented account exists. The account’s username is default and the password is tluafed (the word “default” spelled backward). Anyone logging in with this undocumented user account can view the device’s video streams.

These vulnerabilities are present in all the security cameras, digital video recorders, and network video recorders manufactured by Hangzhou Xiongmai Technology. However, the manufacturer’s name is not on any of the devices. Hangzhou Xiongmai Technology sells its devices to other companies, which put their logos on the equipment. Thus, people who have these IoT devices might not even realize they are at risk. (You can find a list of the 100+ brand names the devices are sold under on the SEC Consult researchers’ blog.)

Some manufacturers act responsibly and include security measures in their IoT devices. However, even these devices can be risky because of the actions (or inactions) of the device owners. For instance, IoT device owners might create weak account passwords or not install firmware updates. The PS4 incident provides a good example of the latter. Sony quickly released a firmware update to fix the bug that allowed the malicious message to crash the gaming console. However, users who do not have their consoles configured for automatic updates will still be at risk if they fail to manually install this update.

Help Is on the Way

Steps are being taken to address the fact that many IoT devices have security vulnerabilities. For instance, in September 2018, California became the first US state to pass an IoT security law. It mandates that IoT devices manufacturers include reasonable security features that protect the devices and any data contained in them. The law goes into effect on January 1, 2020.

Similarly, in October 2018, the UK government published the finalized “Code of Practice” for IoT security. It contains 13 guidelines for IoT device manufacturers to follow to ensure that their devices are secure by design and compliant with the European Union’s General Data Protection Regulation (GDPR).

How to Protect IoT Devices in the Meantime

Although steps are being taken to encourage IoT device manufacturers to build more secure devices, many IoT devices have been and will continue to be built with no security features in place. If these devices are not secured properly, they can put a company at risk, especially when they are connected to the network that hosts the business’s critical data and applications.

As a result, companies need to secure their IoT devices, just like they secure the computers in their IT environments. A good place to start is to:

  • Change each IoT device’s default password to a unique, strong one.
  • Disable any features that are not being used in the IoT devices.
  • Place the IoT devices behind firewalls so that they do not connect directly to the Internet.
  • Isolate IoT devices from the business network.
  • Install patches or upgrades when the manufacturer provides them.
  • Use a virtual private network (VPN) if remote access to the IoT devices is required.
  • Include IoT devices in IT policies.

If your business is using any IoT devices, we can determine whether they are posing a risk to your business and help you develop a comprehensive strategy to protect them from cybercriminals.

5 Things to Try in Windows 10 after the October 2018 Update Is Installed

The Windows 10 October 2018 Update includes many new features and enhancements. Here are five notable ones that you might find useful.

Microsoft officially released another major update for Windows 10 on October 2, 2018. Like previous updates, the Windows 10 October 2018 Update includes many new features and enhancements. Here are five notable ones you might want to try once the update is installed on your computer:

  1. Souped-Up Clipboard

The October 2018 Update soups up the Windows Clipboard with new history and syncing features. Thanks to the history feature, you can now copy and store multiple items (text and images) on the Clipboard. When you want to paste one of those items, you simply press Win+V to open up the Clipboard’s history window and select the item you want to paste. (If you are unfamiliar with keyboard shortcuts, Win+V indicates that you press the Windows key and the letter v on your keyboard at the same time.)

With the syncing feature, you can copy text and images on one Windows 10 computer and paste them on another one. This can come in handy if you regularly use multiple devices, such as a Windows 10 desktop computer and a Windows 10 laptop computer.

Before you can take advantage of the history and syncing features, though, you need to enable them in in Windows 10’s Settings app. You can find them by clicking “System” in the Settings app and selecting the “Clipboard” option.

  1. “Make text bigger” Slider

Before the October 2018 Update, you could make text bigger in Windows 10 by changing the overall scaling. This made everything bigger, including text and images. With the new “Make text bigger” slider introduced in the October 2018 Update, you can make just the text larger. The overall scaling remains the same. (You can still change the overall scaling, though, if desired.)

You can find the “Make text bigger” slider in the Settings app. After you open the app, select “Ease of Access” and click the “Display” option.

  1. Snip & Sketch App

The new Snip & Sketch app lets you capture and mark up screenshots. It combines the functionality found in Windows 10’s Snipping Tool and the Screen Sketch app (which was originally part of Windows Ink Workspace).

Snip & Sketch lets you take rectangular, freeform, and full-screen shots of items on your screen. Once created, you can use a stylus (on touch-enabled devices) or a mouse to annotate the screenshot. There are various markup tools, such as a pencil and a marker, which you can customize by changing their color and thickness.

Although Snip & Sketch was designed to replace the Snipping Tool, the Snipping Tool will still be present after the October 2018 Update is installed, according to Microsoft. In the future, though, the Snipping Tool will likely disappear from Windows 10.

  1. Your Phone App

After the October 2018 Update is installed, you will have an app named Your Phone on your Windows 10 computer. The app lets you link and sync a Google Android smartphone with your Windows 10 computer. When you do so, you can view and send Android text messages from your computer. You can also access your phone’s photos, which means you do not have to email photos to yourself to get them on your computer.

If this seems familiar, you are not having a case of de ja vu. Your Phone has been available in Microsoft’s App Store since August 2018. Plus, since the Fall Creators Update (which was released in October 2017), you have been able to link an Android phone or Apple iPhone to a Windows 10 computer in order to send web pages from your phone to your computer. This enables you to see the web pages on a larger screen without having to email yourself a link or manually search for the sites. You can continue to do this through the Your Phone app introduced in the October 2018 Update.

You can install the Your Phone app on an iPhone. However, sending web pages is pretty much all you can do at the present time. You cannot access photos or send text messages from your computer like you can with an Android phone. This might change in the future, though.

  1. Power Usage Tracking in Task Manager

You can now see how much power each app and process is consuming on your Windows 10 computer, thanks to the October 2018 Update. Two columns have been added to the “Processes” tab in Task Manager:

  • “Power Usage”, which conveys how much power each app and process is currently using
  • “Power Usage Trend”, which indicates how much power each app and process has used in the past two minutes

Task Manager does not give you an exact measurement but rather an indicator such as “Very Low” and “Low”. This information can be helpful when you want to get an idea of how much power your apps are consuming. Plus, the new power usage columns might flag when a cryptojacking script is siphoning a computer’s processing power. In this type of attack, cybercriminals steal computers’ processing power to mine cryptocurrencies.

IT Budgeting Trends in 2019

Research by Gartner, Harvey Nash/KPMG, Spiceworks, and Tech Pro Research provide several interesting insights into IT priorities and budgets in 2019. Find out whether companies are planning to increase or decrease their IT budgets and how they intend to spend their IT dollars.

Creating an IT budget would be easy for companies if they could travel into the future to see what was in store for their businesses and the economy in 2019. But since no one has invented a time machine that can whisk people into the future and back again, the next best thing is finding out what experts are predicting and what other companies are planning to do. Research by Gartner, Harvey Nash/KPMG, Spiceworks, and Tech Pro Research provide several interesting insights into companies’ IT budgets and priorities in 2019.

IT Spending on the Rise

Gartner is predicting that overall IT spending will increase by 3.2% in 2019 — a forecast that is reflected in other research findings. When Tech Pro Research surveyed more than 100 IT professionals, over half said that their organizations will be dedicating more funds to IT in 2019 compared to 2018. Similarly, about half of the 4,000 IT leaders participating in a study conducted by Harvey Nash/KPMG said they are expecting a budget increase in 2019.

A survey by Spiceworks, though, had different findings. About half of the 700+ respondents said that the IT spending at their companies will stay at the same level as the previous year. Only a third indicated that their IT budgets will increase in 2019.

How Companies Are Planning to Spend Their IT Dollars

Knowing the areas in which companies are planning to spend their IT dollars can be helpful when creating a budget. Both the Tech Pro Research and Spiceworks surveys asked respondents about their IT budgeting priorities in 2019.

Security is the top priority for the companies that participated in the Tech Pro Research study, as Table 1 shows. This is not surprising given that businesses are often the target of cyberattacks. IT training for employees is also high on the list. Companies are making this a priority because employees need to be retrained as IT technologies and work processes change. Plus, new employees will also need training.

Upgrading outdated IT infrastructure is the No. 1 priority for the businesses represented in the Spiceworks survey. When looking at the various components in IT infrastructures, such as hardware and software, the study revealed that businesses will spend the most on hardware purchases. The biggest chunk of their hardware budgets will go toward buying desktop and laptop computers.

Table 1. Top Priorities in 2019 IT Budgets

No. 1 Priority No. 2 Priority No. 3 Priority
Tech Pro Research (percentage of respondents indicating it is a priority*) Security (63%) Cloud services (48%) IT training for employees (44%)
Spiceworks (percentage of respondents indicating it is a priority*) Upgrade outdated IT infrastructure (64%) Security (56%) IT projects (56%)
* Respondents could select multiple priorities