10 IoT Security Best Practices For IT Pros

Spread the love


IT professionals have to treat internet of things (IoT) vulnerabilities as they would vulnerabilities in databases or web applications. Any flaw can bring unwelcome attention, for those making affected products and those using them. Any flaw may prove useful to compromise other systems on the network. When everything is connected, security is only as strong as the weakest node on the network.PreviousNext

(Image: Jefferrb via Pixabay)

(Image: Jefferrb via Pixabay)


The Internet Crime Complaint Center (IC3), a partnership between the FBI, the National White Collar Crime Center, and the Bureau of Justice Assistance, issued a warning in September 2015 about the risks posed by internet of things (IoT) devices.

“As more businesses and homeowners use web-connected devices to enhance company efficiency or lifestyle conveniences, their connection to the Internet also increases the target space for malicious cyber actors,” the IC3 alert said. “The FBI is warning companies and the general public to be aware of IoT vulnerabilities cybercriminals could exploit, and offers some tips on mitigating those cyber threats.”

From a statistical standpoint, the warning may seem premature, because IoT devices haven’t been implicated in major breaches. As Verizon noted in its 2016 Data Breach Investigations Report (DBIR):

For those looking for proclamations about this being the year that mobile attacks bring us to our knees or that the Internet of Things (IoT) is coming to kill us all, you will be disappointed. We still do not have significant real-world data on these technologies as the vector of attack on organizations.

We do have real-world proofs-of-concept. Cyber-security researchers Charlie Miller and Chris Valasek last year remotely hacked a moving Jeep Cherokee and sent it into ditch. The pair have more recently demonstrated hijacking a moving Jeep is still possible, though this time they were inside the vehicle.

Also last year, security researcher Maxim Rupp identified two vulnerabilities in Honeywell’s Midas gas detector, a device used in semiconductor processing and industrial manufacturing. Researchers have identified many other holes in IoT security.

The potential impact of these flaws may prompt fears. The idea that a hacker might cause you to crash your car is frightening. There’s not much money in pursuing that sort of exploitation, and hackers tend to be motivated by the desire for financial gain. According to Verizon’s 2016 DBIR, 89% of breaches had a financial or espionage motive.

Yet, those working in information technology have to treat IoT vulnerabilities as they would vulnerabilities in databases or web applications. Any flaw can bring unwelcome attention for those making affected products and those using them. Any flaw may prove useful to compromise other systems on the network.

When everything is connected, security is only as strong as the weakest node on the network. A compromised home router, for example, could betray credentials necessary to penetrate workplace systems.

Pen Test Partners, a company offering penetration testing and security services, offers best practices for IoT device-makers, app developers, and IoT supply chain partners to consider. So do Microsoft and the Federal Trade Commission. whiteCryption has some recommendations too.

Anyone dealing with IoT software or hardware would also do well to review the OWASP Top 10 IoT Vulnerabilities.

What follow are 10 tips IT professionals should consider when designing and implementing internet-connected devices.

Measure Twice, Cut Once

Plan ahead. The Federal Trade Commission advises conducting a privacy risk assessment of IoT products and services in the design phase, minimizing data collected and stored, and conducting security assessments before any product or service is launched. Microsoft advises scoping hardware to minimum requirements, ensuring that hardware is tamper-proof, and implementing encrypted storage and Trusted Platform Module-based boot functionality where possible.

Know The Code

Encrypt and think defensively. For mobile apps, make sure you implement SSL properly, so data can’t be intercepted, and make sure data stored on-device is secured by something more than obscurity. Don’t rely on static credentials. Defend against attacks, both those designed to collect data like lists of all usernames and brute force login attempts.

Minimize Your Profile

Hiding things helps. It’s easy to attack applications and reverse engineer their code, said Thorsten Held, managing director of whiteCryption, in a phone interview. To reduce the risk of compromised apps, use tools for application hardening and code obfuscation. Security through obscurity isn’t advisable as the sole means for protecting anything, but code obfuscation can make reverse engineering attacks much more time consuming.

Consider which programming language meets your security needs. “We definitely recommend to our customers to implement the security-related parts of an application in C/C++, but do support, for example, Java on the Android platform as well,” said Held in an email to InformationWeek. “JavaScript is not recommended.”

Dot Your I’s And Cross Your T’s

Be thorough in API implementation. APIs supporting mobile or IoT apps and devices should enforce strong session management, ensure proper deployment of encryption, and defend against injection attacks.

Think Beyond Your Hardware And Software

Web interfaces need to be treated with the same care as applications. Web interfaces are used as the front-end in many IoT devices, according to Pen Test Partners. Be aware of common web app vulnerabilities to avoid leaking credentials or other personal data.

We Want The Airwaves

Think carefully about wireless implementations. Pen Test Partners notes that WiFi devices are vulnerable to “evil twin” attacks. With Bluetooth, care needs to be taken not to set an obvious default PIN for device pairing. Don’t neglect security best practices when you are using other protocols, such as Z-Wave or ZigBee.

Word Up

Enforce strong passwords. Lock accounts after too many failed login attempts. Support two-factor authentication. Don’t rely exclusively on biometrics, like fingerprint scanners. Something you know, given enough complexity and reliable memory, is inherently more secure than something you have.

Plan For Repairs

Ensure updates can be distributed securely and automatically, and can be verified and pushed manually if needed. Guard update code at rest and in transit. At Black Hat last year, security researchers demonstrated how they could hijack Windows Update servers. The Flame malware has done so in less controlled conditions. Apply encryption to firmware too.

Make Smart Hardware Choices

Understand hardware security options. “Microcontrollers with embedded flash memory make recovering firmware harder, but offer limited capacity compared to microprocessors with external flash and RAM,” Pen Test Partners explains in its best practices guidance, adding that debug ports, which are often unnecessarily left in place, can be removed from devices, can have their fuses blown, or can be disabled in the software. The firm also recommends the use of BGA (ball grid array packages) in conjunction with PCB design to limit the accessibility of signals, along with a secure authentication hardware to store keys.

Knowledge Is Power

Audit. Microsoft recommends auditing IoT infrastructure diligently in order to respond to security incidents. Check logs. Analyze data. You can’t fix what you don’t know about.