The Internet of Things (IoT) is ubiquitous, it's incredible, it's convenient. But with the proliferation of this technology comes an ever-increasing amount of risk exposure. Today, with multiple attack vectors at their disposal, cybercriminals have opportunities galore, coupled with ingenious tactics and methods. So, it should come as no surprise why unsecured IoT devices are susceptible to hacking.
According to a report compiled by F-Secure, attacks via IoT devices had increased by 300% in 2019 alone.
The world of IoT has grown exponentially, and according to Gartner, there’s going to be 25 billion Internet-connected devices in place by 2021—this is a massive increase to the IoT attack surface.
Security Starts with Product Development
Why are there so many security issues surrounding IoT devices and what are the simple steps we can take to improve the security of these devices? I believe the answer to these questions lies within the various stages of product development.
There are many stages of a project and depending on which methodology is followed, (for example, waterfall, spiral or Agile) the stages may include a variety of requirements, analysis, design, coding, implementation, testing, deployment, and maintenance. There are opportunities to enhance security at each stage of development.
So, how does a project contribute to protecting our home network and the broader networks we stumble across in cafes, airports, and society at large against the potential threat from unsecured IoT devices?
According to Networkworld.com, some of the steps needed to enhance IoT security are around making sure adequate security testing of the source code has taken place, secure access controls have been implemented and the right level of security standard is followed. Simple but often forgotten techniques, such as the segregation of networks, go a long way to limit risk.
I believe the responsibility for security lies within two distinct areas:
Manufacturers: The manufacturers of IoT devices need to deliver convenience with safety built-in right at the heart of the project and follow the 'Secure by Design' methodology. They are ensuring that before coming to market, the following security testing has taken place against the application/firmware code.
End Users – Whether the consumer is a business or domestic, at-home user, security precautions can't end with the manufacturer. (Read also: Straight from the Experts: How to Limit Risk with Workplace IoT.)
Security Testing of the Code
As you can imagine, the amount of code within an application or firmware can vary considerably from just a few lines to many thousand lines of code. As such, it is uneconomical and a considerable drain on staff resources to perform a hands-on manual code review at this level.
Manual testing involves code review, peer code review, or pass around. These techniques are the act of consciously and systematically convening with one's fellow programmers to check each other's code for mistakes, and has been repeatedly shown to accelerate and streamline the process of software development.
The second pair of eyes is the requirement for two individuals to approve something before it can be actioned. The four-eyes principle is sometimes called the two-man rule or the two-person rule and fits in with the security practice of dual control.
Automated testing actively speeds up the whole process of security testing and is done via a static (white box) application or a dynamic (black box) method.
- Static Application Security Testing (SAST), also known as “white-box testing” has been around for more than a decade. It allows developers to find security vulnerabilities in the application source code earlier in the software development life cycle.
- Dynamic application security testing (DAST) is a black-box testing method that examines an application as it's running to find vulnerabilities that an attacker could exploit.
Automated testing ensures that testing is carried out according to compliance requirements such as those set out by the National Institute of Standards Technology (NIST), the Health Insurance Portability and Accountability Act (HIPPA), and the Payment Card Industry Data Security Standards (PCI-DSS).
Security scanning discovers vulnerabilities such as those listed in the OWASP IoT Top 10, including:
- Weak, easy to guess, or hardcoded passwords.
- Lack of secure update mechanism.
- Use of legacy components.
- Insufficient privacy protection.
It is worth noting that historically, automated code reviews have been left out of a project because of costs, or just haven’t been considered as a requirement.
Implementation of Secure Access Controls
According to the International Journal of Computer Science and Information Security:
“Device authentication and access control mechanism is also a major security issue in IoT. Authentication and access control problems in IoT are due to a large number of devices and machine to machine (M2M) communication nature of IoT.”
Traditionally, manufacturers of IoT devices have implemented proprietary protocols to suit the use type of a particular device. Because of this, there is a lack of interoperability between device types and the many different types of connection gateways in use today. (Read also: 6 Tips for Securing an IoT Device.)
Segregated networks ensure that a single device or set of devices remains isolated from other non-related networks. Segregation in a commercial environment is accomplished with the use of Virtual Local Area Networks (VLAN). It can be implemented, for example, on an enterprise network switch and assisted and strengthened by a set of firewall rules, ensuring the device can still be used for its intended purpose, but in a secure manner.
At home, you can still make use of segregated networks via a domestic VLAN capable router. You can connect your devices to the router in the usual way, via a network cable or Wi-Fi.
You should also take steps to split your home network into individual network segments. PC Magazine breaks the process down in 5 Basic Steps to Network Segmentation.
Create a set of firewall rules that facilitate alternative VLAN connections within the home network. At a basic level, you could have two or three separate virtual networks or VLANs.
- A guest network
- A private network
- An IoT network
The objective of segmentation is to prevent devices on one VLAN from communicating with devices on another VLAN, while still allowing limited access to the internet.
Use Encrypted Protocols
Implementation of encryption on IoT devices is often lower and less secure than on computers. Some of the devices use encrypted communications in their initial configuration but most of them use ordinary web protocols that communicate across the Internet in plain text, which makes them vulnerable to the hackers observing network traffic to identify weaknesses.
At the very least, all web traffic should be using HTTPS, transport layer security (TLS), Secure File Transfer Protocol (SFTP), DNS security extensions, and other security protocols for communications with management stations and across the Internet. In addition, devices that connect to mobile apps or other remote gateways should use encrypted protocols as well as encrypt data stored on flash drives.
As users of IoT, we all have a responsibility to read the manual, to change the default password, and to switch off functionality that we have no intention of using. Doing those things will help stop breaches or invasions of privacy made possible by web-connected devices, e.g. the ability for an unknown caller to drop-in and eavesdrop on conversations within our homes.
Domestic IoT has to be user friendly, easy to set up, and at the same time, protect against all malicious inbound traffic. We want to plug & play, yes, but also be able to provide a good standard of security – protected from any of those nasties that exist out on the internet. (Read also: How IoT Can Compromise Your Home's Safety and Security.)
Before I buy my next IoT device or solution, I want to make sure it is secure by design. It isn’t always possible in some cases, especially if the product is of the legacy kind, plus the price is usually a driving factor for me.
However, it isn’t just the cost; it’s whether the device has adequate security features as standard. If it is natively secure, this would potentially negate the requirement to segregate my home network – if ignoring the layered security approach of course.
Some of the things you should consider from a consumer perspective: are you purchasing a well-known, trusted product, are there better versions available, what standards of security are built-in. A good source of information to consider these points is TREND Micro – What to consider when buying a smart device.
There is a glimmer of hope on the horizon in the form of a new regulation from the National Institute of Standards and Technology (NIST) aimed at IoT security. In January 2020, NIST published its second draft report “Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline,” which replaced the initial draft “Core Cybersecurity Feature Baseline for Securable IoT Devices.” Both publications build upon NIST’s “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks,” published in June 2019.
Rather than a set of rules to follow, it presents a baseline offering valuable guidance to promote best practices for mitigating IoT security risks. (Read also: Hacking the IoT: Vulnerabilities and Prevention Methods.)
The world of IoT products is extensive and can seem overwhelming at times, especially when you are trying to buy wisely. However, you can narrow the scope by asking yourself these things and applying the following criteria to your search:
Where are you going to use the device?
What features are you looking for?
What is your budget?
Is it a well-known and trusted make or product, do friends and family recommend it?
Finally, ensure it is secure by design and close any doors that could be open to cyberattacks.