How many homeowners do you know who are Wi-Fi network specialists? Unless they work in technology, I’m willing to bet that your average apartment or condo complex contains very few experts. So when it comes to cybersecurity, very few residents will think about the digital safety implications of their Wi-Fi enabled doorbell, security cameras, tracking sensors and all the other smart devices they’ve bought, plugged in or which came with their unit.
Now, how many cybercriminals do you know in your neighborhood or community? My bet is none. They don’t tend to post an ad on the building notice board to introduce themselves and advertise their nefarious intentions. And that’s the problem.
With the future of housing centered around more multi-tenant developments, internet of things (IoT) devices – and the criminals who would leverage them in their schemes – are part of a wider cybersecurity issue that’s a real and present danger for renters and apartment dwellers. Now, the onus is on landlords and building owners to put technology and policies in place that detect, understand and manage the devices and threats that may affect an in-building Wi-Fi network and its residents.
The Problem Is, We Don’t Know the Problem
According to Strategy Analytics, as of 2021, there are over 250 million connected smart home devices. These devices are inside home Wi-Fi networks, registered to our addresses with our personal details held somewhere in the cloud. Unfortunately, in the past, some electronic toy and game manufacturers have reported data breaches, which could include registered details about children.
IoT has seen an explosion of traditional companies morph into information technology companies, yet without the hard-won cybersecurity learnings and standards that traditional infotech companies have. In the rush to get smart toys, doorbells, cameras and more to market, a robust security program hasn’t been a priority.
In terms of what’s at risk, let’s think about how these devices work. There’s a good chance that there is a registration process, whereby personal details about the purchase and the purchaser are stored. We bring the device home, and as with all good Wi-Fi networks, it’s connected and remains always-on in the background, communicating any activity, messages, commands, etc. with a server run by the IoT company (again, ’somewhere’ in the cloud). The same goes for the supporting apps on our mobile phones.
A reputable tech company with security at its heart would typically store these encrypted transactions and would then delete them once delivery happened. An immature, insecure or criminal company wouldn’t, potentially risking the leak of all our personal details – name, home address, the subscription service we were paying for, credit card details, security question answers, voice messages and time stamps.
IoT devices are commonly the least secure devices on the network. Recent findings from Forescout and JSOF discovered nine different bugs in over 100 million consumer and business IoT devices. Whereas Wi-Fi IoT devices can be secured fairly easily, low energy devices using Zigbee, Z-Wave or BLE technologies can be harder to secure, and they eventually do connect (through a bridge or some other type of connection) to the Wi-Fi network. These vulnerabilities need a lot of attention, and your typical multi-dwelling unit (MDU) will commonly have a mix of Wi-Fi and IoT devices in place.
Likewise, as the name ‘network’ suggests, apartments or units within a multi-tenant building are connected by a common infrastructure, meaning that insecure MDU networks are the gift that keeps on giving to criminals from within.
MDU Cybersecurity Strategies
Home Wi-Fi networks are not alone. Even enterprises are struggling with the weight of managing an ever-increasing array of IoT devices attaching to corporate networks. But enterprises have more options. They have skilled IT teams and can use hardened AAA platforms to securely authenticate devices onto their Wi-Fi networks. They can also create special IoT Wi-Fi networks, firewalls and security policies.
Landlords offering ISP services to paying tenants have a responsibility to deliver the most secure network possible, and MDUs can help prevent cybersecurity threats by taking similar steps:
- Partner with a reputable MDU ISP service that provides evidence of building connectivity security, design and network monitoring as an ongoing, dedicated function. Constant intrusion detection, planning and response should be looked at through the lens of what is secure today could be breached tomorrow.Responsible tenant internet access requires a network design that can offer secure assured segregation per tenant. If a device in one apartment is breached or hacked, the network configuration should ensure that any single tenant does not pass a breach on, becoming a jump host to the rest of the building. This also means that as tenants turn over, access can be quickly revoked and new tenants in each unit can be easily set up. Ultimately, this comes back to professional installation, correct access point configuration and ‘per tenant’ installation.
- Although the Wi-Fi service will begin life as a single internet connection into the building, it should be segmented by unit using virtual LANs (VLANS). Each apartment is allocated a personal VLAN and Wi-Fi WPA2 key (wireless router password) to stop a threat to one unit from becoming a problem for the entire building. Shared passwords are an absolute no-go. Visitors should scan a QR code to get Wi-Fi access.
- Constant vulnerability monitoring and testing to detect and mitigate threats is also very important. A process and controls should be in place so if a security breach happens, the affected instance or unit will be segmented from anything and everything else. This must be a comprehensive process of finding and scanning devices – both known and unknown, internal and external – and applying the same scanning and policies to both tenants’ IoT devices and the landlord’s IoT infrastructure.
- Hand-in-hand with vulnerability monitoring, and especially in an IoT-heavy environment, is a patching policy. Landlords or service providers should make sure that once a device is breached or a software vulnerability is found, that security patches are applied immediately. Where the IoT device is part of the building’s fabric – smart thermostats, smart heating, smart door security cameras, etc. – it’s the landlord’s responsibility to maintain that device’s security patches.
Apartment complexes are a target-rich environment, with a number of dynamic threats and a rapidly expanding number of IoT devices. Managed Wi-Fi is a fantastic benefit to both tenants and landlords acting as ISPs, but only if it is designed and delivered with security as its core.
This post originally appeared in Security Boulevard.
Dr. Chris Spencer, Group Chief Information Security Officer
A specialist in secure internet connectivity. Chris helped design and build solutions for international cities and enterprises. A thought leader in secure, seamless sign-on and Passpoint, he is involved in the specification and delivery of Next Generation Hotspot, leads and co-leads working groups for the WBA, Hospitality Technology Next Generation (HTNG) and the Seamless Air Alliance (SAA).