National Cybersecurity Awareness Month: Exorcising the ghosts of forgotten devices

|
Updated

Picture this: it’s a crisp October night. You’re sitting in your living room, lights low, pumpkin candle flickering. The house is quiet – too quiet – when suddenly, your smart speaker crackles to life. The thermostat blinks, the robot vacuum rolls out uninvited, and your doorbell camera sees…something.

Don’t worry, it’s probably not ghosts. (Probably.)

But the truth is, your home is haunted: forgotten logins, unpatched firmware, and devices that haven’t phoned home to their manufacturer in years. 

Which brings us to an important ritual for this spooky season: fall securing.

What is fall securing? #

A tradition practically as old as human civilization is "spring cleaning." After a winter of being sealed up indoors, it’s common to throw open the windows and get all the junk out when the weather warms up.

Here in early October, during National Cyber Security Awareness Month, I suggest a digital twist: take an hour or two for some "fall securing." It’s like spring cleaning, except you’re dusting off your home network and smart devices instead of the closets.

If you’re reading this blog post, you’re probably in the demographic of people who have accumulated a pile of computers-that-don’t-look-like-computers around the house. Phones, routers, and laptops are of course expected. But what about your doorbell camera, thermostat, or your weirdly Twitter-cobranded kitchen appliances? Networked ovens and refrigerators are here, for some reason, along with the rest of the Internet of Things, like light bulbs, fish tanks, robot vacuums, pet feeders…it’s kind of endless, and getting endless-er. Most households probably have between five and fifteen connected devices; you probably skew higher.

And all of these IoT things hew to a couple of fundamental laws of consumer tech. One, they all tend to ship with bugs, and thus, need patching. Two, they eventually go end-of-life, often long before they stop working and without fanfare or drama. There’s no law that says these features need to be obvious to you, the consumer, so it’s on you to figure this out.

Where to start ghost-busting #

Fall securing means taking stock; ask yourself the following:

  • Who made this device?
  • Are they still in business?
  • Does it update automatically, and is it actually updating?
  • If you update it manually, have you done it? How can you tell?
  • What version of the software is running right now?
  • Are there known vulnerabilities?

It sounds like a lot of work, but the answers to these basic questions are usually pretty obvious once you start looking. Make a note of what is on your network. Get familiar with your router’s administrative interface and the IP and MAC space that you’re managing. Save off your notes somewhere where you can get to it later, and crack them open next fall to do it all again.

I’m here to assure you that this exercise is empowering. Playing at being a low-stakes network administrator removes a ton of the mystery from your digital life. You might even discover devices that do not need to be online at all. If so, you’ve got a NCSAM miracle of reduced attack surface, at practically zero cost. Nice.

You will likely find surprises. When I first ran runZero at home, I discovered my garage door opener on the network. No one used it, no one had the app, and nobody will cop to configuring it as such. Yet, it was there, exposing an API to enter my house to anyone on the local WiFi (which extends to the street, of course). That was a fun day.

Finding rogue devices like this is why runZero is so useful at home, and incidentally free for up to 100 assets. If you have employees that work at home, slide them that link and get them to peek at their networks now and again, just as soon as you get your own house in order.

The main reason for "fall securing" is simple: winter is coming, and you are likely to be spending more time indoors, surrounded by devices that should at least be patched and still supported. Taking a little time now gives you confidence in your environment. Your Chromebook, TV, and game console will be safer, and you will spend less time worrying about them quietly betraying you. Not no time. But less time.

This blog is the first in a series of consumer tech-centric blogs here at runZero for National Cyber Security Awareness Month.

Written by todb

Tod Beardsley is VP of Security Research at runZero, where he "kicks assets and fakes frames." Prior to 2025, he was the Section Chief for the Vulnerability Response section for CSD/VM/VRC at CISA, the Cybersecurity and Infrastructure Security Agency, part of the US government, and a seasonal Travis County Election Judge in Texas. He's also a founder and CNA point of contact for AHA!.

Tod spends much of his time involved in vulnerability research and coordinated vulnerability disclosure (CVD). He has over 30 years of hands-on security experience, stretching from in-band telephony switching to modern ICS/OT implementations. He has held IT ops, security, software engineering, and management positions in large organizations such as the US Government, Rapid7, 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Tod is a CVE Board member, has authored several research papers, and is an internationally-tolerated horror fiction expert.

More about todb
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

See Results in Minutes

See & secure your total attack surface. Even the unknowns & unmanageable.