WHEN WORKERS were sent home at the start of the coronavirus lockdown, few companies had a plan to provide secure remote tools. Fewer still had a way to examine and secure home networks littered with Internet of Things devices like video doorbells, smart assistants, bathroom scales, and more that could ride the company VPN back to HQ. Now that work from home may continue indefinitely, managed service providers need to start including IoT under their security umbrella.
How many home-based workers have some type of IoT on their network? "I'd say all of them," suggests Cary Wagner, technical operations director and CEO of Pacific NorthWest I.T. Services in Coeur d'Alene, Idaho.
A big challenge is that there’s no strict standard of security across all the different IoT manufacturers, explains John Hammond, senior security researcher at security services firm Huntress Labs. Every Google Nest Mini or Amazon Alexa is an attack vector, and that doesn't include items you might overlook, such as a garage door opener you can control with your phone.
"Since you can't control IoT devices with a mouse and keyboard, some sort of remote access to manage and configure the devices is needed," Hammond says, adding that those admin portals are well known to hackers.
Another challenge is getting businesses to shore up their workers’ home networks. "We have 150 clients, and I can count on one hand the number who asked us to configure an employee's home network,” says Al Alper, CEO of Absolute Logic, a managed service provider in Wilton, Conn. "For the three or four who asked, we changed default usernames and passwords on home routers, set up a guest Wi-Fi network for all the IoT devices, and added endpoint security software everywhere possible." This approach is more affordable for home use than a firewall with unified threat management (UTM), which is more appropriate for the corporate network.
Alper says it’s possible to reset usernames and passwords on existing home networks remotely, so MSPs don’t always have to send a technician to the home. He likes to add a Sophos RED (Remote Ethernet Device) to the firewall at the company's headquarters to provide UTM to the home network. He's also seen a marked increase in remote desktops over Windows Virtual Desktop on Azure.
MSPs should convey to their customers that securing a home network doesn’t require a "rip and replace,” Alper adds.
Wagner's first security fix for home IoT is "to get a firewall, and configure it to deny all, and only open up what you need."
Hammond suggests MSPs have a policy to check and install new firmware, patches, and hotfixes to all the IoT devices possible. "Of course, the 'security basics' never die, so check for hardcoded or default credentials set on the remote access modules of IoT devices."