We are in the booming phase of the Internet of Things (IoT) and, with it, beginning to be aware of the security risks it is vulnerable to. These historical IoT security hacks should give us some perspective: Between 2006–2010, attackers created the Stuxnet virus, designed to damage Iranian centrifuges by targeting their SCADA systems. In 2013, hackers were able to exploit and utilize millions of IoT devices to create a botnet. More than 25% of the zombies in the botnet were made up of devices like smart TVs and baby monitoring systems. In 2015, researchers hacked into a running JEEP’s computer system, managed to engage/disengage the brakes, and cut the driver off his own car.
More recently, I stumbled upon an article that describes how a developer ended up with a Python script that helps find all the open cameras in a geolocation with the help of a few Python modules and Shodan. Shodan.io is a search engine, much like Google, except that it helps to search the Internet for IoT devices. With luck, one will be able to find a couple of cameras that use weak passwords like admin/admin.
The ease with which hacks can be performed in today’s complex IoT environment is nothing short of alarming given its ramifications for companies that deploy the technology. Some security challenges in the context of IoT include:
Lack of security implementation during development: Since the boom started, a lot of IoT products have flooded the market, some of them very competitive. To cite an example, a product by a branded company might cost $100 in the market while its replica from a lesser-known company might be available for $10. At first blush, the two products may not be different. But look closer—the cheaper one may not have the latest/stable software or hard passwords for panel login.
Cheap hardware that does not support security implementation: Most of the time, during development, developers choose a “set-and-forget-approach” to devices. To keep the price at bay, manufacturers rely on cheap hardware that does not go the extra mile in terms of security. With such devices in the IoT ecosystem, handling security becomes tough.
Lack of industry standards: While many IoT security frameworks exist, there is no single agreed-upon framework. Most big companies create a model of their own while smaller industries follow proprietary-incompatible standards. This lack of standardization makes it difficult to secure systems. With OWASP IoT Top 10 draft around the corner, some of the security issues in IoT could be addressed if developers put in the effort.
How to Protect Systems and Devices for IoT Security
Prevention is better than cure approach is the best, just as in every other security implementation—that is, take care of security right from the start. The operators of IoT devices need to consider their systems just like every other network-connected computer and keep their systems up to date, prevent malware, as well as audit and protect the infrastructure.
- Apply threat modeling and integrate security into the development phase
Instead of waiting for security lapses to reveal themselves and scrambling to patch up, it is better to find out the loopholes beforehand and integrate every security measure into the development process.
- Ensure API security for connect back devices
Developers sometimes forget to secure the APIs that the applications/devices connect back to. This comes from the misconception that it is hard to identify such APIs. But identifying such APIs is only a matter of getting in the middle of the communication channel and sniffing the data packets that are being transmitted or received.
- Ensure cryptographic strength for connections and data transport
Transporting valuable data over plain connections is not a good idea. Transport layer security is crucial for any data that is sent over the Internet.
- Ensure network and infrastructure security at deployment
The security of any chain is only as strong as its weakest link. Even if a secure IoT device is developed, if it is connected to a WiFi with crackable security, then it defeats the purpose. A lot of people still rely on poor WiFi etiquette.
- Provide software updates and patch devices at the first hint of a known threat
Manufacturers who provide devices should keep an eye out for new threats in the wild and ensure that proper patches are provided to customers. Also, the developers should continually try to optimize the programs and provide timely updates for customers.
- Provide proper guidelines to tech support team and customers
Customers should be provided with proper user manual and instructions on how to implement the solution safely and how to update it at periodic intervals.
- For critical deployment, rely on technically skilled team
The installation and support team who come onsite to assemble the devices are another weak link in the chain. An all-purpose internal support team may not be well versed in the product or they may not be aware of the precautions to be taken. The team should be given timely training about the latest updates and how to implement them.
- Provide passwords and debug systems that are not easily accessible
One of the most common user experience blockers is the implementation of strong passwords. The developer might be ready to implement a security control but the UX team will not be ready to adapt it because long and strong passwords are hard to remember. But when it comes to security, applications should have strong passwords, especially when they are rolled out of production centers into the hands of customers. The debug log should also be prevented from printing sensitive information related to the device.
- Identify the bogie that belongs to the fleet
Another important step is to ensure that the devices connecting to the API are trusted devices. An easy way to compromise a set of IoT devices is to hack the API/backend that keeps the devices running. But what if the server knows who is to connect to it? It won’t let any bogus device to connect to it and it would prevent a surface for attack. This could be achieved by installing certificates on the edge/gateway devices (to make sure that only trusted devices communicate to the server) as well as on the server (so the edge device knows that it’s not talking to a bogus server).
It is obvious that we have to approach IoT with a critical mind when it comes to security. Just like every other technology, the older it gets, the more mature it becomes. Until there is a unified standard in place and there comes a time when people are ready to follow the standard practices, we will have to rely on experienced developers and specialized teams to implement IoT solutions securely.