FBI tells Jo(e) Sixpack to become an expert in IoT security

It's also accidentally written the syllabus for a 'Home IoT Network Engineer' course


Internet of Things users need to become sysadmins, America's Federal Bureau of Investigation says.

That's a summary of the Feds' blog post, published this week, in which the agency's Beth Anne Steele wrote that Things are best deployed on their own network, with an off-switch.

Steele's post offered a checklist explaining how consumers can best secure their stuff, including a suggestion to: “Isolate 'IoT' devices on their own protected networks” – which means you'll want a firewall between your broadband modem and the switch that connects the devices.

The checklist might reach beyond the capabilities of the average IoT buyer, who just wants to swipe the phone app to control their lights (because the wall is so far away), but on its own, that's a point worth making. So here's the full list, with El Reg commentary.

  • FBI: Change default usernames and passwords. Many default passwords are collected and posted on the Internet. Do not use common words and simple phrases or passwords containing easily obtainable personal information, such as important dates or names of children or pets.
    (El Reg: It's hard enough to get users to quit using pa55word. Also, how many people don't even realise there's an admin interface for their oven?)
  • FBI: If you can't change the password on the device, make sure your wireless Internet service has a strong password and encryption.
    (El Reg: Good advice for a sysadmin, perhaps a challenge for the punter, and isn't the FBI anti-encryption?)
  • FBI: Invest in a secure router with robust security and authentication. Most routers will allow users to whitelist, or specify, which devices are authorised to connect to a local network.
    (El Reg: Again, good advice for a sysadmin. MAC address filtering should be simple, but think of your own family and ask who you'd delegate it to. And then explain how this works for devices that do MAC address randomization.)
  • FBI: Isolate “IoT” devices on their own protected networks.
    (El Reg: See above regarding lack of skills. Also, imagine what it's going to be like explaining to punters that two DHCP servers on the same network is … difficult.)
  • FBI: Turn devices off when not in use.
    (El Reg: When is that? Most home Things require that they're always-on – think smart locks, for example.)
  • FBI: Research your options when shopping for new “IoT” devices. When conducting research, use reputable Web sites that specialise in cyber security analysis and provide reviews on consumer products.
    (El Reg: Where do we start with this one? Name us five such sites that punters would correctly judge as trustworthy.)
  • FBI: Look for companies that offer firmware and software updates, and identify how and when these updates are provided.
    (El Reg: And then pray that the company doesn't make its products obsolete by turning off the updates tap. And then contemplate whether the average users is really ready to figure out half-a-dozen different firmware update regimes.)
  • FBI: Identify what data is collected and stored by the devices, including whether you can opt out of this collection, how long the data is stored, whether it is encrypted, and if the data is shared with a third party.
    (El Reg: It just got a lot more complex, and we do need some kind of cert, and one of the units should be “privacy policy 1.01”.)
  • FBI: Ensure all “IoT” devices are up to date and security patches are incorporated when available.
    (El Reg: We couldn't agree more. How many unpatched routers are out there, again? Or Apache Spark implementations at credit reference agencies?)

The depressing thing is that every single item on this list is necessary and true, and nearly all of it is beyond the home user. It would, however, make a sound syllabus for some kind of certification, if anybody would study it, which they wouldn't.

The FBI promises its blog next week will be on Internet-connected toys. We can hardly wait. ®

Similar topics


Other stories you might like

  • Man gets two years in prison for selling 200,000 DDoS hits
    Over 2,000 customers with malice on their minds

    A 33-year-old Illinois man has been sentenced to two years in prison for running websites that paying customers used to launch more than 200,000 distributed denial-of-services (DDoS) attacks.

    A US California Central District jury found the Prairie State's Matthew Gatrel guilty of one count each of conspiracy to commit wire fraud, unauthorized impairment of a protected computer and conspiracy to commit unauthorized impairment of a protected computer. He was initially charged in 2018 after the Feds shut down 15 websites offering DDoS for hire.

    Gatrel, was convicted of owning and operating two websites – DownThem.org and AmpNode.com – that sold DDoS attacks. The FBI said that DownThem sold subscriptions that allowed the more than 2,000 customers to run the attacks while AmpNode provided customers with the server hosting. AmpNode spoofed servers that could be pre-configured with DDoS attack scripts and attack amplifiers to launch simultaneous attacks on victims.

    Continue reading
  • AMD refreshes Ryzen Embedded line with R2000 series
    The target? Thin clients and industrial devices – with new SoC family running up to 4 independent displays

    Embedded World AMD is bringing to market a new generation of Ryzen chips for embedded apps promising more CPU cores, enhanced built-in graphics and expanded I/O connectivity to drive kit such as IoT devices and thin clients.

    Crucially, AMD plans to make the R2000 Series available for up to 10 years, providing OEM customers with a long-lifecycle support roadmap. This is an important aspect for components in embedded systems, which may be operating in situ for longer periods than the typical three to five-year lifecycle of corporate laptops and servers.

    The Ryzen Embedded R2000 Series is AMD's second-generation of mid-range system-on-chip (SoC) processors that combine CPU cores plus Radeon graphics, and target a range of embedded systems such as industrial and robotic hardware, machine vision, IoT and thin client devices. The first, R1000, came out in 2019.

    Continue reading
  • What if ransomware evolved to hit IoT in the enterprise?
    Proof-of-concept lab work demos potential future threat

    Forescout researchers have demonstrated how ransomware could spread through an enterprise from vulnerable Internet-of-Things gear.

    The security firm's Vedere Labs team said it developed a proof-of-concept strain of this type of next-generation malware, which they called R4IoT. After gaining initial access via IoT devices, the malware moves laterally through the IT network, deploying ransomware and cryptocurrency miners while also exfiltrating data, before taking advantage of operational technology (OT) systems to potentially physically disrupt critical business operations, such as pipelines or manufacturing equipment.

    In other words: a complete albeit theoretical corporate nightmare.

    Continue reading
  • Former chip research professor jailed for not disclosing Chinese patents
    This is how Beijing illegally accesses US tech, say Feds

    The former director of the University of Arkansas’ High Density Electronics Center, a research facility that specialises in electronic packaging and multichip technology, has been jailed for a year for failing to disclose Chinese patents for his inventions.

    Professor Simon Saw-Teong Ang was in 2020 indicted for wire fraud and passport fraud, with the charges arising from what the US Department of Justice described as a failure to disclose “ties to companies and institutions in China” to the University of Arkansas or to the US government agencies for which the High Density Electronics Center conducted research under contract.

    At the time of the indictment, then assistant attorney general for national security John C. Demers described Ang’s actions as “a hallmark of the China’s targeting of research and academic collaborations within the United States in order to obtain U.S. technology illegally.” The DoJ statement about the indictment said Ang’s actions had negatively impacted NASA and the US Air Force.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading
  • Ubuntu releases Core 22: Its IoT and edge distro
    A tougher nut to crack than the regular flavor, some will find it very tasty

    Canonical's Linux distro for edge devices and the Internet of Things, Ubuntu Core 22, is out.

    This is the fourth release of Ubuntu Core, and as you might guess from the version number, it's based on the current Long Term Support release of Ubuntu, version 22.04.

    Ubuntu Core is quite a different product from normal Ubuntu, even the text-only Ubuntu Server. Core has no conventional package manager, just Snap, and the OS itself is built from Snap packages. Snap installations and updates are transactional: this means that either they succeed completely, or the OS automatically rolls them back, leaving no trace except an entry in a log file.

    Continue reading

Biting the hand that feeds IT © 1998–2022