In this week’s article, we explore the cybersecurity risks associated with IoT, alongside GridDuck’s own tips and methods for keeping your system safe.

 Internet-connected devices allow us to perform a range of functions that previously were inconceivable, from watching a baby remotely to automating our thermostats and lighting. But is this safe and secure? The Internet of Things (IoT) receives regular criticism because of security vulnerabilities that can be exploited by hackers. We take a look at common IoT problems and what’s being done to address them, including at GridDuck HQ.  

As IoT devices, more commonly known as smart devices, have exploded in popularity, cyberattacks have also increased in frequency. According to computer security firm Kaspersky, cyberattacks on smart devices more than doubled year on year in 2021. The total number of breaches between January and June, the firm calculated, was in excess of one billion. 

Meanwhile, consumer brand Which? conducted its own research earlier this year, setting up a fake smart home with a range of popular products. Their investigation revealed that a home can be the subject of several thousand hacking attacks in a week. A wireless camera with good reviews on Amazon was eventually hacked.  

While these headlines sound alarming, the plain truth is that following best practice will largely keep you safe from a cyberattack, whether at your home, office or elsewhere. GridDuck’s chief technology officer Richard Tolley says security often comes down to the effort you put into it: “If you follow best practice, and everything is encrypted, it’s theoretically as safe as anything on the internet. Whereas, if you buy a cheap webcam, you don’t know what they’ve done about security.”

Apple devices, for example, are secure because the company tests them rigorously, they have encryption features and run regular updates. Moreover, the hardware has security built into it, a foundation that keeps the software secure. The same can be said for certain Android phones and Google products. These are secure because of their design. 

Default Passwords

One of the biggest flaws in mass-produced smart products is default passwords. Some devices come with easy-to-guess passwords that you aren’t prompted to change upon purchase. According to government-commissioned research from 2020, only one in five consumers has previously checked if a new smart device has a password that is not unique to it. Always change the default password, check out all the security features of your device, and enable two-factor authentication if it’s available. 

The UK government is addressing the problem of default passwords by introducing regulation which will force all manufacturers to make their products “secure by design”. It’s likely these new laws will launch in 2022. This type of regulation for internet-connected devices has already been introduced in Europe, including calling for an end to universal passwords, for example. 

IoT Devices and Cybercriminals

One of the things that make smart devices, such as security cameras, attractive to hackers is that there are potentially millions of them running the same software. If cybercriminals can learn how one of these devices works and are able to exploit a vulnerability, then they have access to a much larger pool. In conclusion, never assume you aren’t important enough to be hacked and stay vigilant.  

To better protect yourself, do thorough research and use trusted brands that, ideally, have been independently recommended. A third of UK consumers spend less than an hour researching a smart product and a majority of the products are bought online, government research has found. It’s not always the case that a cheaper device will be less secure, but it’s generally worth spending a bit more up front for the added security you are likely to get as a result. 

Another way to protect yourself is to run regular software updates. At the moment, manufacturers don’t need to tell you how long a smart product will be supported by updates but that is set to change with new UK regulation. When these laws come into effect, manufacturers will have to be more transparent with customers about their ongoing support, including updates. Customers will also have clearer, more direct ways of communicating vulnerabilities to manufacturers. 

GridDuck’s Security Systems 

GridDuck uses internet-connected devices to help our customers bring down carbon emissions and become more energy efficient. These devices “talk” to a dashboard, enabling our clients to see where they might be wasting energy in almost real time. We work across sectors, from manufacturing to hospitality and we’ve helped businesses make substantial savings.  

We take our security very seriously. Some of our cloud-based monitoring systems are installed in government buildings, which require high-level clearance that can be hard to obtain. It may sound technical but GridDuck has an ISO 270001 certificate, an international accreditation standard for cybersecurity. This certification requires an internal monthly audit as well as an external yearly audit and is recognised as a gold standard in the industry. 

In addition to ISO 270001, we have passed penetration testing. Pen testing is a simulated cyberattack conducted by an external company. It’s otherwise known as “ethical hacking”. This process exposes any vulnerabilities that need to be addressed. 

Most cybercriminals will look to attack software vulnerabilities. It’s much more rare to expose a problem with microchips, for instance. GridDuck partners with third-party hardware manufacturers who produce our wireless sensors, clamps and plugs. These use a secure wireless protocol that’s also used by the UK’s smart meter network for critical infrastructure. In other words, our monitoring devices are smart by design.  

The devices talk to a hub, manufactured by a Danish company, which in turns talks to the internet. GridDuck’s online dashboard - which clients use to see their energy use - securely connects to the wireless hub via Wi-Fi. We write the software for the hub, and this is the subject of regular external testing. Moreover, our servers run on Amazon’s Web Services, which has comprehensive security built into it. 

As a customer you will get a standard login to our online dashboard, which will require a password. GridDuck does not know these passwords as they’re encrypted to us (also called hashing). Clients have the option of using two-factor authentication, such as getting codes sent to your phone, for an added level of security. Best practice is to not use the same password across different services and to store these securely.   

There is more we can say about our security but it can get very technical (and a tad boring). Let’s just say that you are in safe hands when you work with us and that security is one of our top priorities.

We’d love to see you benefit from IoT. For more information on how GridDuck’s intelligent monitoring system can help your business, book in a 15 minute chat with Miles.