Securing the Internet of Things (IoT) by Indy Dhami

If the Internet is a free-for-all, and with the Internet of Things we’re putting the entire world on the Internet, what does that make us? Fish in a barrel? J.M. Porpup 

In 2015 I published a LinkedIn post on the topic of ransomware and the Internet of Things (IoT). Since then we have seen a further array of exciting (and odd) IoT innovations brought to the marketplace. This includes blockchain/IoT integration, consumer augmented/virtual reality headsets, pet fitness trackers, beds, footwear, even an internet-enabled dress. The research agency Gartner estimated that there will be over four billion IoT devices in use this year, with that number rising to over twenty billion by 2020. 

However, in a desire to innovate and get products to the market quickly, many IoT manufacturers have overlooked the importance of security. The rising number of cyber attacks, data breaches/ransoms and warnings from law enforcement demonstrate that there is much more work to be done to secure systems, devices and data – and the IoT is an increasingly large part of that process. The current (poor) state of IoT security is largely because manufacturers and end users do not fully understand the risks and vulnerabilities in their devices, and have not grasped the benefits of greater security.  

Search engines for internet connected devices such as Shodan have highlighted vulnerabilities in millions of IoT devices. The site indexes devices such as traffic signalling systems, routers, electrical grids, industrial vehicles, webcams. These webcams included residential and commercial properties, ski slopes, marijuana plantations and most concerning sleeping babies.

Manufacturers need to improve their understanding of the risks of building IoT devices with limited security controls, as well as their responsibility in protecting all personally identifiable information (PII) in accordance to data protection regulations (i.e. the recently finalised EU General Data Protection Regulation). End users must also be aware that insecure behaviour with using IoT devices and excessive sharing of information could leave them vulnerable to attackers.

As a minimum, the following eight priorities should be considered by manufacturers and developers:

1. Educate end users – Provide end users of IoT devices with plain and clear documentation enabling them to easily and securely configure their new purchase.
2. Embed encryption – Incorporate end-to-end encryption using accepted practices throughout the data exchanging process, rendering information useless to anyone without authorised access. Confidentiality, Integrity and Availability must be a primary concern.
3. Include security in the SDLC/DevOps process – IoT manufacturers should include security as a core component of the Systems Development Lifecycle (DevOps is making progress in this area). Code, application and infrastructure tests should all be performed to identify vulnerabilities. Done correctly, this will reduce the ability for man-in-the-middle attacks, embedding of malicious code, backdoors or attackers covertly moving from within devices or systems once access has been compromised.
4. Apply authentication and authorisation controls – Implement authentication controls by providing strong password functionality and where possible two-factor authentication. No default usernames or weak passwords should be allowed with mandatory password changes at defined intervals.  
5. Harden security – Apply easily identifiable tamper-proof mechanisms into IoT devices and components. If the device is tampered with, any PII should not be accessible.  Remove any testing/debugging interfaces and ports where not required.
6. Enable patching – Build in the ability to deploy software fixes quickly on IoT devices in a way that is effortless for end users. This should again be part of the requirements and system design phase.
7. Build for the future – It is imperative that IoT devices have sufficient protection and the ability to be upgraded throughout the lifecycle of the device. Continuous and vigorous testing of devices is needed, using a range of scenarios and external parties.
8. Increase transparency and privacy – Allow end users to choose (and opt out of) how and where PII is sent and how it is used. Data on end users should not be shared with third parties unless it has been fully anonymised. Data must be protected throughout its lifecycle and when device vulnerabilities are identified, alert end users as soon as possible. Apply a principle of ‘privacy by design’.  

I would be keen to hear from others in IoT space and security professionals alike on other considerations (such as the draft OWASP guideline) to help us become more secure in our highly connected world.