As per every new year, we all start with resolutions of what we will change for the better, for fellow IoT rock stars, security needs to be top of the list. With the new decade fresh in our minds, IoT security is already making news headlines.
“Hacker leaks passwords for more than 500,000 servers, routers, and IoT devices”
Public IP addresses are simply bad news
If you’re new to IoT, the lesson to be learned from the ZDNET article is that a public static IP address is bad. Asavie has shared many documents over the years, one of which details how to scan for your devices showing how simple they can be found using tools such as NMAP. These tools are freely available on the web and if you do use public static IP addresses, I urge you to check them out.
Even more, head-scratching is the fact that owners of devices on the public internet continue to ignore or forget that default manufacturer administration credentials are accessible online in user guides and documentation. If you fail to change the default credential, then expect a world of compromise.
But why are people persisting to use public static IP addresses, why are ISPs still offering them? The answer is simple, in the ZDNET article, it highlights the use of the Telnet protocol. Telnet is used for remote access to devices. For those that say “oh we don’t use telnet” but are using SSH or RDP for remote access and are persisting to use public static IP addresses, please ensure to at least – change the default password and obfuscate the port number, by choosing a random number on the IANA port range.
Dumping the VPN in IoT
Ultimately, we need to ask why are IoT, routers, and servers on the public internet? In my opinion, I believe that there is a basic lack of security skills and knowledge. The use of VPNs is cumbersome, but the lack of alternative options and more fundamentally cost is no longer a factor. For example, cloud providers have abstracted the complexity of turning up servers, so much so that anyone with basic IT skills e.g. set up the home Wi-Fi, can have a go.
As an industry we need to better educate our web citizens, we can’t just say “leave it to the pros”. If we do choose to be silent, remember the primary goal of the security breach highlighted in the ZDNET article is to seek and enslave, with a secondary goal of offering a bot-net army for attack purposes. These botnets could someday be used against you or your organization.
A private network that you control
So “Do I need a private network for IoT?”, the simple answer is yes. Private networks not only apply to those that wish to secure remote access to devices, but it also applies to anyone who wishes to truly be secure by taking their devices off the public internet and out of the way of harm of cyberthreats, which includes being a target for DDoS attacks.
At Asavie, we offer our customers self-serve private networks that securely connect IoT, mobility, and enterprise private networks. We appreciate networking is hard, security is even harder, and time is precious, so like the cloud providers, we strive for ease of use. With little IT skill, you gain enterprise-grade security for your IoT device, all for the price of a coffee.
The best part is, the private network offers secure bi-directional communication with private static IP addresses, so you can continue to remote access the devices. Even if you do forget to change the default credentials of the Telnet client on the device, you will be the only one who can see and access the devices!
As for my new year resolution, let’s make IoT secure in 2020!