Online security is at the forefront of people’s minds these days, but not always when it should be. Phil Tann explores the risks of connected equipment and ways to avoid falling victim to cyber-attacks.

There are items in many people’s lives that are connected but are not necessarily thought about in terms of security. We are talking about items like smart lights, speakers, TVs, smart boards and even items as simple as digital signage.

With any connected technology, it is so essential first to understand the risks; this then aids in decisions and direction for security solutions. There is an endless array of statistics that can show how broad the cyber threats are, but visuals often make a greater impact. Kaspersky has one such tool, a real-time world map displaying detected cyber threats.

When it comes to AV equipment, whether it is a home, office, or a high-level installation, there are several vulnerabilities present that are ever-present in a connected world as well as some specific to the style of equipment and connectivity. One ubiquitous threat for connected equipment is account breaches and while efforts are made by providers to protect users and their data, there are steps users can take.

If access to an account is essential enough, hackers will pay up to $40,000 to have a 14-character password cracked.

The primary step users can take is to ensure passwords adhere to current best practices. This means having passwords of sufficient length — typically 14 or more characters is considered secure — and complexity such as using pass phrases instead of single words.

The most crucial step is never using default usernames and passwords on equipment, never re-using passwords between sites and, wherever it is offered, using two-factor authentication, ideally a hardware-based authentication option.

This is particularly important for accounts like iCloud and Google, where, for many people, their entire lives are on there. This includes calendars, contacts, work schedules and location history. All of which can give a clear picture of your work practices and routines, potentially opening your home to surveillance and making it a target for a break-in.

More specific risks to AV equipment include connectivity which does not necessarily have security options around it including screen mirroring and Bluetooth connectivity. These connections do not necessarily require authentication, only brief physical contact with the target hardware. Though they offer a nuisance value through someone streaming music or video to the device, they do not easily serve as an attack vector for malicious activity.

While the potential for deeper penetration into your network is low, particularly if you are adhering to other practices, the annoyance factor is high through these pathways making them worth acknowledging.

The next step is to ensure sufficient firewall protection for your devices. In discussion with one security expert, he noted that regularly he sees port forwarding, or open ports allowed through a company system simply to allow easy access to equipment. He said that he could not stress enough, just how dangerous this practice is as it not only opens that piece of equipment to unauthorised connections, but then makes your whole company network vulnerable to attacks.

As an interesting divergence, AV versus IoT and general network protection have different approaches. This was illustrated during discussions with Paul Beadle, manager of cyber security and governance at BAE Systems, and Brendon Reid, managing director of Automation Associates.

Where Paul’s role is focussed purely on security protection of critical data, his approach leans far more towards keeping all equipment patched and updated with the latest firmware. A part of this is due to his role requiring him to be risk averse and avoiding potential vulnerabilities, often with cost of maintenance being less prohibitive than would be the case for a small business or home user.

Brendon took a far more functionality-focussed and cautious approach to patching with the clarification that security patches, clearly, need to be applied as an immediate need. Offering an example of a network attached storage (NAS) which his company had installed for several clients where a security flaw was identified, he says the manufacturer communicated the urgency of update, and this was completed to ensure continued security of client sites and their data.

The problem in the automation and connected hardware space is that patching simply because it is available can be detrimental to operations. Connections to third-party services through an Application Programming Interface (API) or webhooks can break, automated features may no longer work, or some features stop working.

So, when patches or firmware are released, the change logs noting whether the update is a bug fix, for general stability, feature additions or security, are critical to decisions on whether to install or not.

There were several underpinning messages from the industry experts I spoke to about connected smart technologies and AV equipment. The starting point for this is that when you are using connected equipment, this should be done with the expectation that the convenience comes at a cost, that cost being your data becomes less secure. Whenever you have equipment connected to the internet, it potentially becomes vulnerable, and unfortunately, this is not scaremongering; it is simple fact.

Again, one of the most common themes was to always adhere to good password practices, as earlier mentioned, including the use of two-factor authentication wherever possible.

The second major note that Paul makes was being prepared to keep your connected technology, such as smart speakers, lights and general IoT devices on a separate network to your computers and any critical data storage. Some skills are required to achieve this though, depending on whether you want to create a separate physical or virtual network. For home users, this can be as simple as turning on the guest WiFi network.

There are several reasons for doing this, including the stability of connection as many IoT devices use exclusively 2.4Ghz connections which have a better broadcast range and reduced power consumption for the devices. There is also the security consideration of a connected device becoming compromised through either a server or account breach. Depending on the devices you are using, this may not even be the fault of your primary provider, e.g., Google, Amazon, or Apple. It could be a third-party provider who connects to your accounts through an API or webhooks.

Regardless of how the device finds itself at risk, having your connected devices on a separate network or VLAN means these do not then become a simple bridge into your network.

Active steps for protection

While there are some basic barriers that can be placed in front of malicious attackers, there are also proactive steps users and businesses can take. Brendon referred to the use of Domotz, a more modernised version of running Nagios on an internal machine. What this gives users is proactive monitoring of the network, including ping and latency tests, devices dropping from the network, ports being opened and penetration testing.

Despite the industry-based divergence of opinion, the message from the experts spoken to about the matter was similar in terms of adhering to best practices and protection of your personal or business data.

Being connected to the internet is a constant and evolving risk that needs to be managed. If you are not comfortable or lack the knowledge for maintaining equipment and security on your network, then you need to take one of two options. The first is to upskill yourself or someone in your organisation to ensure continued protection or contract out the responsibility to an external provider.