Our houses are quickly filling with an internet of things—smart TVs, DVRs, thermostats, and more all online, all the time. But to a hacker, each of these devices is a digital door or window into your home (network). Here's what you need to do to keep your devices locked against outside intrusions.
It sounds paranoid, I know, but there are, seriously, websites out there dedicated to streaming unsecured security camera footage—veritable YouTubes of compromised DropCams and smart TVs. Leaving these and other networked devices unsecured—or even worse, using the factory default username and password—is like leaving a note on your front door that reads: "I've gone to the store, be back in 3 hours, the key is under the mat." Or, almost as creepily, an open invitation to voyeurs.
Basic network security is fundamental, every bit as important as locking your front door whenever you go out. That door is your wireless router and there are a number of ways it can, and should, be secured, according to the FCC:
- Set the network encryption to WPA2. The older WEP algorithm is totally outdated and laughably insecure by comparison.
- Install a firewall. Your router should have a hardware-based firewall so be sure it's activated. Also, it doesn't hurt to have a secondary, software-based firewall running as well. Windows 8 has the feature baked into its OS, as does OS X and Chrome OS. Or you can install a third party system like Zone Alarm's Personal Firewall.
- Stop broadcasting your network. There's simply no need to publicize the existence of your home network, so turn of the Broadcast SSID option in your router configuration. That way you're protected from wardrivers—which probe for easy access points—and nosy neighbors alike.
The secret to network security: password, password, password
Just using a WPA2 encryption algorithm isn't enough; you need to make sure your password has all the bells and whistles and special characters you can cram in there. The longer and more complicated the password, the harder it is for hackers to crack—not necessarily unbreakable, but enough of a hassle to make it not worth the attacker's time.
And, while you're at it, change the user ID if you can. Avoid easily identified or guessable phrases like "Jeff's Place" or "210 Elizabeth St" in favor of more esoteric tags like "Welcome to the Terrordome" or "Flying Saucer". And by all means, don't name it something stupid like "Al-Quada Free Terror Network"
Partition your network
For most of us, just taking care of the basics should be sufficient but if you have a slew of network-connected devices laying around your house—i.e. an IRIS security system, a smart TV, a smart DVD player, a connected DVR, Hue lights, and a Nest thermostat—more advanced users will want to minimize any damage caused by intruders by segmenting their networks. It's the same as not just locking your front door but also the back door and the door to your garage as well.
The trick is to assign groups of devices individual SSIDs. Most routers on the market today possess the ability to manage multiple SSIDs and, by doing so, prevent an intrusion into one device allow attackers to gain access to the rest of the network—say, attacking your smart TV to gain access to get into the network and then go after the personal files on your NAS. You can group the devices most any way you please—by room, by function, whatever—just be sure to keep your most sensitive devices (your DVR and networked hard drives) on separate networks as other, more easily-hacked appliances. In fact, you would do well to set your the various components of your entertainment system—your TV, gaming system, DVR— all on individual networks.
MAC down on it
Now, if you want to get really paranoid about your home network security and have a few hours to kill, you can set a MAC list filter for your router. The MAC (media access control) address is the unique network identifier for an individual piece of connected hardware—essentially the device's digital fingerprint—and a MAC list filter is akin to a fingerprint scanner for your front door. Only devices that are registered on the MAC list can even see the network, everything else—literally every other digital device on the face of the planet—will be blocked outright.
The only problem is that you've got to gather up the MAC address from every single connected device in your house if you want it to keep functioning once the filter has been implemented. Anything you miss not only stops working, it also leaves a nice big security hole for attackers to exploit. For most people that won't be worth the trouble, but if you're the better safe than sorry type, this is decidedly safer.
Lead image: Scott Bedford