IoT Awareness

Internet of Things

Frank Kardasz, revised September 22, 2022 

Editor: Ava Gozo.

The Internet of Things (IoT) includes billions of devices worldwide. Devices possess a variety of data-capture capabilities and communications features. Devices can connect everyday things embedded with electronics, software and sensors to the Internet and enable them to collect and exchange data.

IoT devices bring convenience, improved networking and other innumerable benefits. Some devices can increase safety and collect video, audio, location information and other data to help solve crimes and identify offenders.

When wrongfully used, IoT devices can assist criminals towards furthering misdeeds. Consequently, IoT devices offer both rewards and risks. Let's examine some IoT device capabilities, their risks, and some suggestions for risk mitigation.

Devices & Capabilities

Devices & Manufacturers

• Home devices: Amazon Echo, Google Home, Nest, Philips, Airfy, Eero, Skybell, Feit
• Wearables - Internet of Bodies (IoB): Smart watches, Rings, Implanted chips, Medical devices, Air Tags
• Vehicle-mounted: Cameras, Smart License Plates, Geo-location devices
• Mobile Phones: Samsung, Apple iPhone, Xiaomi, Huawei, Oppo, Vivo
• Security Cameras: Ring, Arlo, Logitec, Eufy, Panasonic, Nest

Capabilities

• Track and record movement and bodily functions of persons, property and/or vehicles
• Record audio and video of persons, places and things
• Remote operation and monitoring of devices and equipment including lights, thermostats, cameras, medical devices, agricultural equipment and body-worn gadgets.

Risks of Misuse

• Stolen/misused data
• Identity theft, Theft of the device, Distracted driving
• Hacking & manipulation of implanted, body/worn or medical devices
• Harassment & stalking, Surreptitious eavesdropping
• Sextortion, Financial theft
• Phishing & Spoofing for collecting user information
• Theft of propriety information, business/trade secrets

Categories of Evidence Associated with IoT

IoT devices, the data contained within IoT devices, and/or the data retained by cloud services associated with IoT devices may include many kinds of evidence. Here are some of the categories of evidence that can be associated with IoT devices.

• Digital Forensic Evidence - audio, video, log files, start and stop times, location data, and cellular tower logs. Evidence may include Internet of Bodies (IoB) physiological information such as pulse rate, temperature, blood pressure, sleep cycles, pacemaker, blood sugar.
• Direct Evidence - directly linking a person to a location time and date where an offense occurred: Cell tower logs, GPS data, video.
• Circumstantial Evidence - implies that a person committed a crime. Surveillance or doorbell cameras, cell tower data can place a vehicle or person in the vicinity of an offense.
• Physical Evidence - a material object (the IoT device itself).
• Forensic (Wet-Lab) / Individual physical / Trace Evidence - Device may retain fingerprints, hair, fiber, soil, gunshot residue, pollen, blood, or DNA of a person.
• Expert Testimony - digital forensics experts may be called upon to provide testimony regarding the operations and functions of IoT devices and the associated data.
• Documentary Evidence - Internet service providers and or cloud service providers may give documentary evidence associated with IoT devices that are connected through an ISP or a cloud service.
• Demonstrative Evidence - witnesses may be called upon to demonstrate the functions and operations of an actual IoT device in a courtroom setting. Audio and/or video evidence may be heard or displayed in court.
• Habit Evidence - in the case of smart home devices, the individual habits of the user may be demonstrated, based on historical data about the normal use of devices within the home.
• Corroborating Evidence - information associated with IoT devices may support other evidence that tends to confirm guilt or innocence.
• Exculpatory Evidence - Audio/video, location information or other IoT evidence may show that an accused is not guilty.

Basic Risk Mitigation

• Password Hygiene - consider using a Password Manager
• Multi-Factor Authentication
• Network Safety - Segmentation & Segregation
• Update operating systems and/or replace unpatchable hardware & software
• Use a Virtual Private Network (VPN)

-------------------------------------------------------------------------------------------

Frequently Asked Questions

Where can I report crimes involving my IoT devices?

• US DOJ: Crime should be reported to appropriate law enforcement investigative authorities at the local, state, federal, or international levels, depending on the scope of the crime. Citizens who are aware of federal crimes should report them to local offices of federal law enforcement. https://www.justice.gov/criminal-ccips/reporting-computer-internet-related-or-intellectual-property-crime

How can I use my IoT devices to assist law enforcement?

• Some jurisdictions have "Community Camera Registration Programs". Home and business owners can register their cameras with local law enforcement for the purpose of permitting authorities to access video and/or audio pursuant to criminal investigations. Check with your local law enforcement agency to see if they have a program.

What can I do to protect my IoT devices?

• Travis Goodreau, IEEE Security: https://www.computer.org/publications/tech-news/trends/7-actionable-tips-to-secure-your-smart-home-and-iot-devices
• Set up Your Router Correctly
• Change the Router’s Default Name
• Use the Highest Level of Encryption
• Use Strong Passwords
• Create a Separate Wi-Fi Network for IoT Devices
• Disable Features You Don’t Use
• Keep Your Devices Up-To-Date
• Enable Multi-Factor Authentication
• Employ a Nest-Generation Firewall (NGFW)

What are some IoT device security tips?

• Purchase up-to-date IoT devices. Older devices may lack security features
• Do not buy used or refurbished IoT devices because they may contain modified hardware and/or software that makes them vulnerable to malware
• Change IoT device default usernames and passwords
• Review device security settings and data retention terms of service
• Turn off indoor security cameras when not needed
• Disable voice purchasing on voice-active devices (Amazon Echo/Google Home)
• Educate yourself about the features, strengths and weaknesses of your devices

What advice can I give to young people about avoiding becoming victims of cybercrime?

• NCMEC: NetSmartz NCMEC's online safety education program. It provides age-appropriate videos and activities to help teach children to be safer online with the goal of helping them to become more aware of online risks. https://www.missingkids.org/netsmartz

What advice can I give to adults and seniors about avoiding becoming victims?

• NCOA: https://www.ncoa.org/article/protection-from-senior-scams
• Don't act quickly based upon a falsely created sense of urgency; consult a trusted friend
• Avoid odd payment types including gift cards and cryptocurrency
• Be suspicious of fake caller ID's
• Do not reveal personal information
• Notify and seek advice from law enforcement

How can I use IoT devices to improve home security?

• Smartlocks for doors, Burglar alarm control units with door and window sensors
• Motion detectors, Cameras
• Time based or motion activated lights
• Ring has a "Ring Neighbors" app that can be used with or without a Ring device. The app permits users to communicate and share information with other neighbors and with law enforcement. https://support.ring.com/hc/en-us/articles/115005447323-Joining-Ring-Neighbors-without-a-Ring-Device

What are some "Bad Practices" that technology users should avoid? (CISA. https://www.cisa.gov/BadPractices)

• Use of unsupported (or end-of-life) software
• Use of known/fixed/default passwords and credentials
• The use of single-factor authentication for remote or administrative access to systems

What features do IoT devices have that can help solve crimes?

• Doorbell cameras and other indoor/outdoor cameras may retain audio and video that can be used to assist investigators towards solving crimes
• Smartwatch and/or fitness tracking devices and services may hold useful information
• Home assistant services may retain useful data about events and occurrences in a home
• Vehicles and associated services may have cameras, location data and other useful information

What can I do to disable the microphone on a "Smart" TV?

• Disclaimer Note: These actions may permanently disable the microphone. From Smarthomes - https://smartphonesoutions.eu/security/locate-and-disable-mic-on-smart-tv/
• The microphone is most often placed in the TV casing facing the viewer. Look for a small hole the size of a pinhead, similar to the one found in a cell phone near the mouth area. Also note that there may be more than one microphone on the TV case.
• An invasive and likely destructive method of blocking a microphone is to put plasticine or silicone in the hole.
• A less invasive method is to use adhesive tape however this will only muffle the sound and not stop it.

What are the best methods for disposing of a device?

• Australian Cyber Security Center - https://www.cyber.gov.au/acsc/organisations-and-critical-infrastructure
• Erase all data and personal information.  Erasing your personal information ensures that no-one gains access to it after you have disposed of the device. Delete your online account if it is no longer needed without the IoT device.
• Perform a factory reset of the device. A factory reset is designed to erase data kept in local storage and reset usernames, passwords and settings back to default. Check the device’s user manual or the manufacturer’s website for information on how to perform a factory reset.
• Disassociate the device from mobile phones and other devices. Disposing of a device that still has access to your other devices, network or online accounts has the potential for others to gain access. Make sure you check your other devices and remove any pairing with the device you are disposing of. Remove any permissions granted to the mobile application that are no longer needed.
• Remove any removable media (e.g. USB flash drives, memory cards etc) attached to the device. Removable media may contain personal data that is not deleted in a factory reset and should be physically removed, physically destroyed and disposed of separately from the device.

What technology is involved with IoT?

• Sensors, micro controllers, companion circuit boards, relays, servo motors, Bluetooth networking, Zigbee networking, WiFi, Ethernet networking, LCD displays, touch screens, speakers, RFID tags, home based web servers, home network hubs, Low Powered Wide Area Networks, cellular networks, Internet broadband, cloud computing and others.

How is IoT useful in manufacturing, business and industry?

• IoT is used in manufacturing to improved product quality and improve plant availability. Sensors can measure tolerances of products in manufacture and alert operators if measured values drift beyond specifications. Sensors can monitor machinery for preventative maintenance. Bearing vibration can be detected early for scheduled maintenance instead of emergency maintenance. Motor use can be tracked to predict failure in advance. IoT devices  save money, reduces downtime and create high quality products that have fewer returns.

What are some of the threats to business and industry?

• Corporations, businesses, farms, hospitals and others use IoT devices to monitor and control equipment, property, animals and personnel. Devices often use Supervisory Control and Data Acquisition (SCADA) computer applications for monitoring and control.

• Hacking and malware of industrial control systems can have devastating and life-threatening effects. If you are familiar with the attacks known as STUXNET, Night Dragon, Duqu, Flame, Gauss, and Shamoon then you may have heard of IoT SCADA attacks. Some of the targets of the attacks have included the Bowman Dam in New York, a German Steel Mill, the Ukraine Power Grid, transportation systems in Georgia and Colorado and many others.

•  ICS-CERT periodically publish advisories describing vulnerabilities and mitigations for IoT devices. https://www.cisa.gov/ics

What are the threats to medical devices?

• It is estimated that there are 10 to 15 million medical devices in U.S. hospitals. Alarmingly, eight out of ten health care organizations have experienced an IoT focused cyber attack. The FBI warns that unpatched medical devices running outdated software and lacking security features provide cyber attack opportunities. Some devices are outdated without any option to upgrade their features to provide adequate security. https://kardasz.blogspot.com/2022/09/IoT-medical-devices.html

How is IoT used for smart cities?

• IoT can be used to monitor power, water, vehicular and pedestrian movement, climate and building energy management.

-------------------------------------------------------------------------------------------

Resources & References

Dictionaries

• Dictionary of Technology Words and Phrases – Techopedia - https://www.techopedia.com/dictionary
• Dictionary of Computer Words and Phrases - Tech Terms - https://techterms.com/
• Encyclopedia of Technology - Tech Target - https://www.techtarget.com/whatis/

Passwords

• Online security and safety – USA.gov - https://www.usa.gov/online-safety
• Top 5 password hygiene tips and best practices - Tech Target - https://www.techtarget.com/searchsecurity/tip/Top-5-password-hygiene-tips-and-best-practices

Multi-Factor Authentication

• Multi-Factor Authentication – CISA - https://www.cisa.gov/mfa
• Amazon - Alexa - https://amazon.com/gp/help/customer/display.html?nodeId=G3PWZPU52FKN7PW4&tag=thewire06-20&linkCode=xm2&ascsubtag=YT250097
• Apple - HomePod, Homekit - https://support.apple.com/en-us/HT204915
• Arlo - Doorbells, Security Cameras -  https://kb.arlo.com/000062288/What-is-two-step-verification-and-how-do-I-set-it-up
• D-Link - MyDlink Devices - https://youtu.be/-74GNECnvnc
• Ecobee - Thermostats, Sensors, Cameras - https://support.ecobee.com/hc/en-us/articles/360040957212-Two-Factor-Authentication-2FA
• Eufy - Devices compatible with Eufy Security App - https://support.eufylife.com/s/article/Two-Step-Verification-for-eufySecurity-App
• Google - Home, Nest - https://support.google.com/googlenest/answer/9295081?hl=en 
• Microsoft - XBox - https://support.microsoft.com/en-us/account-billing/turning-two-step-verification-on-or-off-for-your-microsoft-account-b1a56fc2-caf3-a5a1-f7e3-4309e99987ca
• Nintendo - Switch - https://en-americas-support.nintendo.com/app/answers/detail/a_id/27496/~/how-to-set-up-2-step-verification-for-a-nintendo-account
• Ring - Cameras, Lights Alarms - https://support.ring.com/hc/en-au/articles/360024511592-Two-factor-security-authentication-with-Ring-products
• Sony - Playstation - https://www.playstation.com/en-us/playstation-network/two-step-verification/
• Wyze - Cameras, Locks, Thermostats - https://support.wyze.com/hc/en-us/articles/360024402052-Two-Factor-Authentication
• Yale - Smart Locks -  https://us.yalehome.com/en/yale-news/blog/latest-blog-posts/introducing-biometric-verification-for-august-and-yale-locks1/

Networking Safety

• Network Security – Checkpoint - https://www.checkpoint.com/cyber-hub/network-security/what-is-network-security/
• Network Security – vmware - https://www.vmware.com/topics/glossary/content/network-security.html
• Network Security Tutorial Video – Edureka! - https://www.youtube.com/watch?v=k-k1cfIOLnQ
• Router Settings -  ThioJoe -5 Router Settings You Should Change Now! - https://www.youtube.com/watch?v=mJnIgjyjEtc 
• Secure IoT Network Configuration - Crosstalk Solutions - https://www.youtube.com/watch?v=6ElI8QeYbZQ

Updating Hardware & Software

• How to recognize and prevent cybercrime – CISA - https://www.cisa.gov/sites/default/files/publications/Week3TipCard-%20508%20compliant_0.pdf

Virtual Private Network

• What is a VPN? - Cisco - https://www.cisco.com/c/en/us/products/security/vpn-endpoint-security-clients/what-is-vpn.html

Other Resources

• Public Awareness & Prevention Guides – Europol - https://www.europol.europa.eu/operations-services-and-innovation/public-awareness-and-prevention-guides

Handout for LE Public Awareness

https://kardasz.blogspot.com/2022/09/IoT PublicAwareness.html