If you have been reading this blog at all, you will have seen my plea to change your default password on any device that connects to the internet. Those of you who are more on the ball may have wondered why this is necessary if you have a firewall on your router. Won’t the firewall keep an intruder out? The answer is yes and no.
Lets look at how an internet connected device works and then it will become more clear. What makes internet connect devices or IoT devices so handy, is through the internet they connect to a server that provides extra functionality. This allows the IoT device to stay small and less expensive as it doesn’t need a bunch of computing power. It uses the computing power of the server instead. This also allows you to benefit from the data sent by other people’s IoT devices.
All traffic in and out of your network goes through a router which is protected by a firewall. The firewall blocks most malicious traffic, but it can’t stop everything. If it did you wouldn’t be able to connect to the internet at all. The router acts like a mailman making sure the data it receives gets sent to the right device. The first time the data is sent the router doesn’t know who the data is from or where it goes. It has to check the routing information on the data to figure this out. This can slow traffic down considerably if it has to be done every time data is transferred.
To speed the process up, the router remembers the routing information for certain types of data coming from certain types of devices. Once it is remembered, all data from that remembered device outside your network is delivered automatically to the remembered device inside your network . Hackers take advantage of this efficiency by impersonating a remembered device. In the case of an IoT device, the router thinks the data is coming from the IoT server but it is really coming from the hacker’s computer. If this happens the only thing protecting your IoT device and your network is the device’s password.
So ,yes, your firewall will protect all your devices from an attacker trying to get into your network. However, no, it won’t protect you once an IoT device has communicated with it’s server. This is why it is so important to change the device’s default password and to make sure the new passwords are strong.