NORTH-EAST residents are reminded to reset their passwords on smart devices after an increase in tech purchases during lockdown.
Deloitte’s Digital Consumer Trends 2020 found one in five UK adults bought at least one new digital device, such as smart watches, speakers, doorbells, baby monitors and printers, during the firsts two months of lockdown.
But North-East cybersecurity experts worry of risks associated with smart, or Internet of Things, products.
Coronavirus, however, may have helped people’s understanding of security, according David Lannin, chief technical officer of Darlington cybersecurity firm Sapphire.
He said: “Public awareness of cybersecurity is improving as there is a crossover between their home and work-life balance.
“However, the need to have the newest gadgets can take precedence and security then goes on the back burner.
“As these devices become more prolific, the security features and in some cases, lack of security features become more widely recognised.”
Earlier this month, in the same week that Spotify Premium members could bag a free Google smart speaker, the Government’s call for views on proposals for regulating cybersecurity on such products came to an end.
The smart tech cycbersecurity proposals focuses on default passwords and puts forward three main requirements for safeguarding users.
This includes a ban universal default passwords on devices and that unique per device passwords are generated with minimal risk, the introduction of a vulnerability reporting including issues, timelines and updates of problems and clear and transparent information on how long a product will receive security updates.
Mr Lannin, welcoming the proposals, said: “This is a good start and it is a foundation that can be built on and modified as needed.
“Many attacks against Internet of Things (IoT) devices currently are automated tools and bots looking for default passwords. The use of default passwords on consumer goods should have been prohibited by National Trading Standards long ago. It’s fundamentally insecure, and devices that still offer these should be avoided.
“The publication of vulnerabilities and provision of support and security updates is well understood across the IT industry. Forcing the adopting of similar principles in IoT makes a lot of sense.”
The man says demand for smart devices has created an “arms race” for manufacturers.
He added: “Tight deadlines sometimes mean that security is overlooked or missed.
“Home IP addresses are constantly being scanned, which can yield devices and applications that are ready to accept connections, for example, a smart baby monitor or your smart camera in the lounge. Default password dictionaries can be applied against these when detected. Voyeur sites online are widespread but becoming a victim to one of these can be avoided easily.”
Voyeur sites could refer to the many website online that stream IoT cameras without the owner’s knowledge – easily accessed because they are not secure.
If one IoT device is hacked, it can then infect the rest of the devices on the network – and access a wealth of personal information.
Mike Odysseas, founder and managing director of Stockton-based telecommunications firm Odyssey Systems, fears proposals will be difficult to implement.
He said: “As most of these types of device are sold as plug and play, with a simple setup process and ease of access, they are generally very easy to exploit on a massive automated scale – allowing cybercriminals access to data on your personal devices, such as PCs, laptops and mobile phones.
“When not protected by the correct security measures, devices are vulnerable to abuse by hackers seeking personal or financial gain.
“I often hear the comment that ‘it’s only a doorbell’, but the reality is that once it’s connected to your internet, this innocent device becomes a potential gateway to your entire network and all the devices connected to it.
“One worrying recent trend has been in the trading of account details connected to CCTV, cameras and doorbells – generating content in private internet forums and the dark web.
“This raises a whole range of privacy issues, in particular child protection concerns.
“With so much of our data now being electronically stored and shared across multiple systems, it’s not what the bad actors can do with your doorbell directly but what they can do with access to your private network and information.”
As well as changing default passwords ass soon as a device is plugged in, both experts advocate for multi-factor authentication (MFA), where the user must input multiple bits of information before being granted access, while password generators can be used if the device does not support MFA.
Mr Odysseas said: “Password managers are also an excellent way to manage passwords and avoid issues like multiple password reuse, the most common cause of security breaches. This helps ensure passwords are secure against brute force attacks, where hackers work through various different combinations in an attempt to guess log-in details.
“One tip for choosing a password to access your password manager is to use a long string made up of multiple parts of your favourite song or poem. This way it’s memorable but the sheer length increases the complexity and makes it secure.”