As a child, I dreamed of a world where cars drove themselves, TVs could be turned on and off with a spoken word, and the Star Trek tricorder was a reality. I don’t know how many times we headed off on vacation and had to turn around because we couldn’t remember if we had locked the doors, turned off the coffee pot, or closed the garage, all the while wishing we could take care of these things remotely. Today, thanks to the Internet of Things (IoT), I see my dreams and wishes coming true daily. Using my mobile phone and various IoT devices, today, I can track my steps, manage my health, automatically upload metrics and data from home monitoring devices, control my lights, turn off the coffee, lock the doors, and see who is ringing my doorbell. Although, as with all things internet, along with the magic and convenience of IoT devices and applications comes responsibility for ensuring privacy and security.
IoT devices comprise a variety of smartphones, tablets, sensors, and smart controllers; it is estimated that there will be 20-50 billion of them by 2020. But while a wide variety of tools and best practices exist to ensure cyber security, to date, there is little regulation within the hardware industry that produces the sensors and smart controllers for IoT devices, or for the devices themselves. For example, many devices are shipped with a single default ID and password, making it easy for someone to seize control of the device and hack into its information or network. Others use HTTP instead of HTTPS to manage firmware updates, and ship with services such as telnet or SSH enabled.
Breaches of IoT devices have been in the news quite a bit recently, with the most highly publicized occurring when a multitude of IoT devices were simultaneously hacked and used to orchestrate a distributed denial of service (DDOS) attack – an attack that ultimately brought several major internet sites to their knees. And, who can forget instances of Amazon Echo “accidentally” ordering doll houses, a mistake that easily could have been avoided if users had disabled automatic purchases or taught Alexa to better recognize their voices. To combat such activities, reputable manufacturers within the IoT hardware industry must join together to develop and deploy best practices to assure the privacy and security of their products – especially as IoT continues to evolve and further permeate our lives.
Hardware manufacturers delving into the IoT space can help protect the security of their users’ information by taking the following steps:
- Stay up-to-date on what’s new and changing in the IoT space, especially in the area of security. Seminars and training courses offered by industry professional organizations are a great place to start. And don’t forget to read, read, read as means for keeping up with IoT news and evolving best practices.
- Remind users through setup instructions and other documentation to reset the device’s default password to a unique, strong password and, if possible, support and enable two-factor authentication.
- Ensure your device includes visual indicators when sensors are active. This will allow the consumer to monitor the device for activity, and pick up on suspect activity when they are not actively using an IoT device.
- Make it harder for a hacker to gain access to the IoT device. Provide a unique default ID and password for each device, rather than shipping with the same default ID and password across all devices.
- Use secure network protocols for all updates and communications, including firmware updates. Allowing updates and communication over an open network is a standing invitation for hackers to attempt them to gain control of the device.
- Use communications protocols that are easily detected by enterprise threat-detection products and security monitors. The use of a custom communication protocol makes it much harder for threat-detection and security monitors to identify illegal activity.
- Allow for device tampering detection to alert the consumer any time there is an unauthorized attempt to modify the device firmware or software.
Software vendors play a key role in providing the management console for IoT devices, and are responsible for ensuring the security of the software systems they distribute. Aside from following best practices, such as following OWASP recommendations for web and mobile applications, software vendors should also:
- Steer clear of introducing backdoors, debug mode, and other diagnostic telemetry that could potentially be exploited once the software reaches production.
- Avoid unnecessary data collection that could entice an attacker to intercept it.
- Continue to provide support and security updates throughout the effective life of the product, thus avoiding the creation of abandonware.
- Notify end users once the device is no longer supported.
- Arrange for independent 3rd-party auditing of the product software on a regular basis.
- Provide a mechanism for independent white-hat hackers that discover issues in the wild to discreetly disclose them to the software vendor.
- Guarantee that software updates are verified with hardware support to ensure that updates come from a legitimate source.
- Encrypt data while in transit and at rest. This renders any information the hacker could gain access to unusable.
- Configure default settings to deliver the most secure system and allow the consumer to relax the settings at their own peril, rather than putting the burden on them to increase system security.
There are also steps individual consumers can take to help protect their personal information, including:
- Know and understand each IoT device before you purchase it. Make certain that you understand what the device does, what data it collects, and what the manufacturer plans to do with the device data (i.e. READ the terms of service).
- Purchase only IoT devices that are designed to be resistant to security breaches. These devices address the physical security of the device, encrypt data in transit between the device and the cloud, and employ privacy and security best practices within the application controlling the IoT device or product.
- Verify the IoT device encrypts local storage so that data is unreadable and, thus, unusable to a hacker.
- Increase your home network protocol security to prevent access to your personal network via your smart home devices.
- Make sure you change the default password of your IoT devices, and that you use a complex, unique password for each device.
- Keep your IoT applications and device firmware updated – use automatic update if possible.
- Restart your IoT devices and applications on a regular basis.
- Be careful what you bring into your secure network. Consider the source and legitimacy of the websites you visit and the emails you open.
- Install and update a virus scanner as an additional line of defense, and use strong security when using wifi.
Who is responsible for the privacy and security of the IoT? Ultimately, it demands a joint effort by the hardware manufacturer, the software vendor, and the consumer. Each need to take their part in ensuring that the magic of the IoT continues to grow and expand beyond our wildest dreams by embracing all things security, thus protecting the integrity of the internet and the consumer’s personal information.
Beth Hurter, CSPO, is a Solutions Director with PointClear Solutions and its affiliate organization Worry Free Labs. Research support provided by Scott Williams, Software Architect, PointClear