I just read and put in our show notes an article that asks a question. Its titled Is the UK government’s new IoT cybersecurity bill fit for purpose?
In practice, I think we all agree by using unique passwords, we’ll start dealing with the problem of the default password. But with that said, there are questions in regards to maintenance and how support personnel can get in to do their job.
There is also something that I don’t think the article covers. This is dealing with updates. We know that getting updates to IOT devices can be easy if they’re programmed to go and check for updates, especially right after a connection to the Internet is established. But what about after?
Lets discuss this one.
Discover more from The Technology blog and podcast
Subscribe to get the latest posts sent to your email.
To be honest, it would depend how they were made and when.
For example, my wifi routers, and extenders will if always active update themselves and they will do it without any real problem.
My hp envy printer will update itself when there is an update.
My brother won’t.
However those don’t get much more than yearly updates so if I check and update yearly and check other things locally well.
My speakers will update if I initiate them or have them always connected they will update themselves.
But with all the spying and goings on on the amazon side, I never keep my echo dots plugged in unless I need to use the unit.
So every time I plug it in or every time I do it I initiate an update myself.
I have always checked as part of my routeen startup updates for most software and hardware.
A lot of the newer stuff don’t even need me to exactly do much bar logging in and hitting a few buttons.
But I could see where this would be a problem.
Now for ease of use, I don’t have a password on my hp printer which is networked locally, my brother has a simple one so I can get in and update but its a home.
There isn’t really any damage a hacker could do if he got into either of my printers as such except turn off web service and stop me getting back in.
At any rate a lot of that is sealed behind another account which is secure and tied into a google account which in itself secured, well ok, none of these are fully secure, I mean I need to get in but there are at least 3 accounts between the real stuff and so on.
Now the passwords aren’t that hard to guess, but really there is like 3 of them.
So I doubt a hacker would necessarily need access to 3 of them just for a printer.
On the flip side, once you get access to the wifi net you really don’t need to get access to any thing if you ever got in locally but really.
On the subject of eot devices, I’d imagine they update themselves.
I manage a slew of remote computers, some on a business setting.
So 99.9% of the time, I am confident they will update themselves.
There are at least 6 of these.
I have updated them at location however its much easier for me every so often or when they can be brought to me once a year to get them taken to me.
I will get them, temperarrilly shut down security and update locally.
It means I don’t have to take and introduce stuff to them which could be a potential risk.
I have all the data on my workstation, and unless its a rebuild job, I can usually have the material on hand already to load in a block.
The only things that don’t update themselves are codecs, dotnet and other runtimes which have newer versions, and a few things like that.
Often there will be some discreppancies between what the automatics do and what is actually about to though its usually quite good.
Of course I need to handle all the user issues which could be installing malware to do something and then me finding and asking out what their intent was and then fixing it.
However being that I have local and other access to my database I can search for and get whatever it is and load it.
Sometimes at discount if its something I allready own.
The only time I really need to get down and dirty is if one of the connection boxes goes totally nuts.
Yes by default you can secure it but I always like to get in balls first and give it all a good pounding.
Covid has stopped my checks last year so who knows.
To be honest its harder and harder to get a manual look at things which is the only way I role its just easier is all.
I could see whhere this could be a problem though.
No one is going to check all day long unless it screws.
Now if like the isp stuff its remote and server controled, thats fine.
But if its old and doesn’t or needs manual checks someone needs to get in.
So how do you do it?
I am unsure you can hide accounts, but on most of the stuff I have I do have an account.
The account has a simple password and its hidden.
Thats 1 way I did things in the past.
Now I try to remotely do it with those concerned but thats not always possible.
Then what happens if checks for physical things just aren’t enough.
I have to put a mutherload of trust in the automatics.
Of course if the device never or only gets updates twice a year thhen thats fine but what about if its like all the time.
Now if its at a spaciffic time, you could have the device run a script, and email you.
For example this wordpress blog is set where I never have to update it, or secure it or even get into it.
I do from time to time check but my admin logins have drasticly dropped off now the system we use is setup and seems to be working.
The only thing we may have to do at some point is pay for ipstack as we keep running close to requests running out, but its only happened once.
We get round 240000 requests a month of a spammy nature and we run out near the end of the month so for us it just works.
I get emails you do to about things autoupdating.
So if you set it up the system will tell you if its a smoking wreck unless it physically explodes or the connection goes out.
Speaking of that though what do you do in a situation say if the cloud or a cloud the connection needs goes out.
While usually things pop back up, my experience with anything electronic from printers to whatever is that if a something down the line goes out that device will be frozen and need restarting.
Or a login to get access to whatever.
So I guess if you did a drive by and did something to fool the system then have someone physically come and reset you could probably get their passwords and well.
Saying that though, I can’t remember the last time I needed to login to my isp controled router to do a reset, reboot or refresh.
I login to my wifi extenders once a year to make sure they run but to be honest I assume they do.
I always check my printer support page so if I need to login I do.
I had to login lastnight to initiate the update to the unit.
The only way to have this stuff work is have people login with security key and even then a physical approach may be best but what if your business is huge.
Take this blog.
Its small with 4 users.
Out of that 2 post.
We haven’t actually had any new users register in ages so technically I could take down all security and simply not allow users if it ever became a problem.
But even our cloud previders like gmail are getting spam passing through.
Now you can combat that by putting more security in but now I need to check daily to make sure stuff hasn’t got lost.
At least 10-20 messages a day are being mislabeled.
And thats just me, suppose that was more than that.
Out of the 20 messages 1-5 of those are potential spams.
And sometimes they still get through.
Its an interesting thing.
And a 1 size fits all won’t actually fit.