IoT is still in its infancy, and especially so when it comes to security. Not a day goes by without new hacks, botnet attacks or vulnerability discoveries.
For IoT to grow up we need professional approaches towards security and privacy protection. Anything else will just destroy the market for everyone and make you lose customers and credibility.
Here are five fundamentals of IoT security:
1) Software security degrades over time, what developers call “code rot”.
All software needs to be maintained and updated. Bugs and security flaws need to be patched. Manufacturers need a way to get IoT sensors and devices patched in very distributed and uncontrolled environments with constrained networks and a multitude of standards. They need to provide updates for the life of the device, and they must be able to push updates quickly to plug critical vulnerabilities.
They need to provide updates for the life of the device, and they must be able to push updates quickly to plug critical vulnerabilities.
2) Static secrets don’t stay secret
Default or hard-coded credentials can quickly become security issues by becoming known over time. Recent examples, including Mirai, demonstrate how malware takes advantage of such a situation to take over IoT devices for DDoS tsunami-like attacks. New devices must prompt a change of passwords on the first use. Certificates and encryption keys need to be updated at set intervals. All this without putting the responsibility on users, that don’t know how or are just too lazy to do an update or change a password.
New devices must prompt a change of passwords on the first use. Certificates and encryption keys need to be updated at set intervals. All this without putting the responsibility on users, that don’t know how or are just too lazy to do an update or change a password.
3) Weak configurations persist
The default configuration of an IoT device persists unless changed by the user. If manufacturers ship IoT devices in the least secured state and put the responsibility of the device owner to take measures to improve that security, it will not happen. Vendors must set the default configuration to the most secure choice as default, and only users that know what they are doing can then consciously take decisions on reducing security, like open up a public port.
4) Without lifecycle management, data accumulates
Because of all the data generated from IoT devices, the security of the data and how it’s created, used and deleted becomes important. What happens if the data falls into the wrong hands? Over time, connections between different seemingly disparate datasets may emerge.
This has already been proven by researchers. By for instance using data analytics on public data from social media they can construct a very accurate profile of a person, political views, sexual orientation, family situation, where they are in real-time, etc.
IoT devices accumulate massive amounts of personal data, such as voice searches, GPS locations or heart rate information. If the data isn’t managed and secured, it could lead to loss of privacy and issues of data ownership.
Choose vendors that can be trusted with personal data. Use services that are GDPR compliant.
5) Secure devices that operate in hostile environments
IoT devices often operate without any human supervision. Such devices must be rugged and resistant to physical tampering and have an ability to send an alert if they are under attack. Administrators of IoT services need to be able to safely and automatically degrade and decommission devices that have failed or been compromised.