Security experts detail how your IoT device can leave you open to attacks

Your devices are all talking to each other on your network—and opening up a new front in the hacking wars.

IoT was a major part of this year’s CES. The show highlighted products across the home, from app-controllable bidets to AI-powered baby monitors. The sector is growing, Rapid7 Principal Security Researcher of IoT Deral Heiland told us, and so is the threat surface.

“If there’s a vulnerability that would allow that level of attack on a device, then yeah, somebody could do that,” Heiland said.

WFH danger. Heiland, talking with IT Brew at CES, took care to note that the return on investment for an attack on an individual’s home usually doesn’t make a hack worth the effort—though that calculation may be changing in the era of remote work. Covid led to an increase in people working partly or fully from home, a “potential attack vector.”

“Instantly, these home networks are an extension of your corporate networks,” Heiland told us.

With more connected devices comes a larger network of threats to manage, Silicon Labs CEO Matt Johnson told IT Brew. Speaking just off the show floor, Johnson said IoT tech has reached the level of technological sophistication and low cost where “it’s pervasive and almost everything is connected wirelessly.” With that explosion in innovation have come concerns over security, naturally, because if “we can’t trust the devices, we won’t use them.”

Keeping tabs. Legacy devices are the biggest problem, Johnson told us. Home networks may contain any number of older devices which are still connected to your router, and many, if not all, will have out of date or weak security. Consumers should keep that in mind, and take basic precautions.

“I know this sounds ridiculous, but just, super simple test,” Johnson said. “You go to your home network, and do a scan of your network and look at all the devices and IP addresses out there. Do you know what everything is on your network?”

You should also keep tabs on who’s providing the products you use, Heiland said. A good way to separate the good from the bad is to see which manufacturers and vendors foreground security on their company websites. Keep an eye out for reporting capabilities.

“They should be able to communicate those key areas out there—privacy and security on their technology—and have ways of communicating,” Heiland said. “If a company does not have a method for actually receiving reports around security issues on their product, you want to step away.”