In recent years, there are more & more IoT devices being introduced in the business environments and households. Personally, I am running a real-time environment monitoring platform on the Data Science / Computer Lab in Hong Kong. With the data produced by IoT devices, it has to be transmitted, processed and then stored in somewhere including personal data like finger-print, face recognized, etc. However, it is one of the biggest security challenges quite difficult to handle with both the number of devices and the varieties of IoT devices.
In this article, there are 2 main sessions to discuss about the IoT Security:
- Security Challenges – listed the major security challenges
- IoT Network Security – shared the best practice on IoT security
There are mainly 2 major security concerns and they are:
- Data Privacy
- Botnets
- Data Privacy
IoT devices can use hardware-based trust anchors, also known as “roots of trust”, which utilize a trusted boot process to ensure devices operate in a known secured state and their contents remain private. It is important to note that IoT security solutions need to implement the functional blocks as interconnected modules, not isolation, to meet the IoT scale, data security, device trust and compliance requirements. The protection recommendations are available in another session – IoT Network Security..
- Botnets
Internet of Things (IoT) devices can be at risk from botnets (also referred to as “thingbots.”) A botnet is a privately-harnessed group of systems controlled via malware (which has previously infested a device). Botnets are often utilized to mount distributed denial of service (DDOS) attacks intended to incapacitate or cripple target systems, for purposes of revenge, extortion and calculated disruption.
One such example is known as the Mirai botnet, which launched large DDoS attacks since 2017 on Imperva, KrebsOnSecurity and Dyn (which affected Twitter, Spotify and other sites). Mirai source code was leaked publicly and Imperva researchers analyzed it to understand Mirai better. One of the results of the research was the development of a scanner that can check whether devices on a network are infected by or vulnerable to Mirai malware.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IoT Network Security
There are a number of vital steps to be carried before introducing any devices into your network.
- Understand your endpoints
Every single IoT device is needed to identified and profiled. There are several points to be addressed:
- Manufacturers
- Open Sources VS Proprietary Operating Systems
- Connection Method to Other Devices or Nodes
- Computing Power / Storage / Network Throughput
- Monitor & Manage your devices
First of all, it is essential to have a full stock list of devices connecting to the network. It is better to have some scanning tool to discover it rather than manual management. When doing security consultation, I have helped one of our client to find a smart TV outside their office connecting to the Wifi network to download movies illegally.
- Disconnect from the Unnecessary Connection
There are lots of different applications of IoT devices. If it is not necessary to connect to any external parties, it is better to have an isolated network for minimizing the chance of attacks. However, if it is needed to connect to any party outside the network such as Internet / Cloud, it is better to have firewall protected with releasing the service port(s) or only allowed to connect via VPN or a fixed IP address.
- Secured Connection
IoT on-chip memories can protect data from being accessed or stolen by utilizing cryptography to encrypt or decrypt information. Communication between IoT devices and other systems should be secured via encrypted links using protocols such as TLS (Transport Layer Security), which is commonly used with web browsers such as when conducting financial transactions. TLS can prohibit “man in the middle” attacks whereby data in transit is captured and analyzed for confidential material. Moreover, it is important to make sure the encryption package should be the most updated one.
- Change default passwords and credentials
While this advice may seem like common sense to many IT professionals, it’s important to note that some IoT devices have vendor-supplied default passwords — used to initially configure the devices — that are difficult to change, or cannot be changed. So, it is important to review every single device before connecting it to the corporate network.
- Understand the data
Understanding the way an IoT device interacts with data is crucial to securing it. IoT device use of nonpublic personal information (NPPI) or personal identifiable information (PHI) including finger-print scanner, camera, wearables, etc. It is important to protect these devices with extremely high data privacy concerns.
- Identity and Authentication
Authentication helps an organization better understand how the user is accessing the device. Even there are a number of IoT devices allowing 1 user account connecting to multiple devices, it is not really recommended 1 single user account sharing for all devices. In order to reduce the chance of abuse, it is better to have separated user accounts. If it is possible, it is better to have 2 factor authentications like certificate files (TLS) and user authentication.
- Define Security Policies
The details of an IoT policy may vary among different industries and organizations. However, there are some common considerations to address:
- What IoT devices should be allowed to access a given network and what controls should be put on that access?
- How should network and resource access be prioritized among various IoT devices and systems?
- How can IoT infrastructure development be most effectively fostered?
- How can standardization and interoperability of devices be mandated?
- What legislation should be created to prevent format wars?
- What types of measures need to be in place to protect an enterprise across the entirety of its IoT attack surface?
Conclusion
New vulnerabilities are constantly being discovered, which means that it is a continuous journey to improve and refine the security policies.
Samuel Sum
Data Science Evangelist (CDS, SDi)
Vice President (AS)