Short answer: if it's connected to a network, it's vulnerable. The steps you take to secure it determine HOW vulnerable it is. Not the popular answer, but it's the truth...
The first step in securing your home network devices is to take a look at the network edge. That is, the device(s) that sit between your home network and the rest of the world. In most home networks, this equates to your router/wireless access device.
All networked devices:
- CHANGE DEFAULT PASSWORDS! The most common security flaw I see is people not changing default passwords. Anyone with Google and just a couple brain cells can gain full access to your device.
- Password complexity. When you change these default passwords, don't use just numbers, or a lowercase word, or a word with a number or two after it. The way password attacks work, the more complex the password, the less likely someone will be able to crack it in a reasonable amount of time. Use a mix of uppercase, lowercase, symbols, and numbers. Also, try to stay away from "dictionary" words. I hate memorizing complicated passwords as much as the next guy, but it really does make a difference.
- Stay on top of updates. I know, updates are annoying and seem to be a pain for no apparent reason. But they're there for good reason: when a manufacturer learns of a security flaw in their device, this is how they fix it. Updates are important.
- Disable any open firewall ports you don't actively use. Unnecessary open ports are like building a 20 foot concrete wall around something and putting random gates in it no one will ever use. Maybe nobody will come through them, but why give them the chance?
- Make sure settings that allow access from an external IP are turned off.
- If your router supports remote protocols like telnet or SSH and you don't use them, turn them off.
- Go through and disable other features you don't use. If you don't know if one of these features is in use, make changes slowly so if something stops working, you know what to enable again.
Access Point (if separate from router):
- Ensure your encryption standard is set to WPA or preferably WPA2. If you're using WEP, you're extremely vulnerable. If your AP doesn't support WPA, it's time for a new AP.
- Disable WPS. There are a number of attacks that exploit WPS vulnerabilities. Just type the password in if you're connecting a new device, it doesn't take THAT long.
- Like the router, disable remote administration and telnet, SSH, etc.
- The password complexity rule especially applies to Wi-Fi passwords. I'm here to tell you, it's not very difficult to capture a handshake and crack a weak Wi-Fi password. Then boom, full LAN access. Game over.
These steps are a good start to protecting all devices on your LAN. As far as IoT devices go, first assess the practicality of them. I know it's on a flashy, shiny display at the store, and it looks really cool, and it has an app, and you've heard about these "smart homes," but do you really need your toaster to be connected to the Internet? Come on... If you decide you absolutely can't live without it, then the same principles from above apply. Change from the default to a strong password. Disable unnecessary services. If your kung fu is a little stronger than most, fire up nmap and scan it. See if you can find any exploits. Also, assess the need to access the device from outside your home. I realize it's popular to be able to pull up your cameras from anywhere, but if you don't use this, turn it off. Any device that doesn't venture beyond the virtual walls of your LAN is going to have a much smaller chance of being poked at by nerds with sticks.
If all of this made your head spin, contract it out to someone who knows what they're doing. I promise the cost will be much less than if someone pops your box and steals your social. By the way, nobody thinks it will happen to them.
Edited by undr1kr, 04 October 2017 - 05:39 PM.