The Internet of Things (IoT) refers to the growing network of small, low-powered devices such as sensors and controllers that are connected to the internet, allowing them to send and receive data and be remotely controlled.
While IoT devices offer many benefits, they also introduce new security risks, as these devices may be vulnerable to hacking and other cyber threats.
Different Kinds Of IoT Devices
Before we dive into the actions you can take to secure your IoT devices, let’s talk about the 2 different types of IoT.
One-Way Communication Devices
A one-way IoT (Internet of Things) communication device is a device that is capable of transmitting data over a network but cannot receive data. These devices are typically used in applications where data needs to be collected from a remote location and transmitted to a central server for analysis or storage, but where there is no need for the device to receive instructions or updates from the server.
One-way IoT communication devices are often used in applications such as environmental monitoring, where sensors are placed in remote locations to collect data on factors such as temperature, humidity, air quality, and soil moisture.
One-way IoT communication devices can use a variety of technologies to transmit data, including cellular networks, satellite links, and long-range wireless technologies. These devices are typically low-power and battery-powered and are designed to operate in challenging environments with limited connectivity.
Two-Way Communication Devices
Two-way IoT devices, online one-way devices, are capable of both transmitting and receiving data over a network.
Two-way devices are more robust because of their interactivity, they allow for the exchange of data in real-time or near-real-time. These more advanced devices, sensors, and systems can be controlled and configured remotely, and there is a possibility of significant data storage on these products.
They are often used in applications such as remote control and automation, where the device can receive commands from a central server or controller, and act on those commands by performing a specific action or transmitting data back to the server.
For example, a two-way IoT communication device could be used to remotely control the temperature of a thermostat or to receive instructions to open or close a valve in an industrial process.
Securing IoT In layers
As in all things around cybersecurity, you should aim to apply security controls in a layered way in IoT as well. The main layers to which you should give special focus are:
- Physical Layer
- Operating System Layer
- Communication Layer
- Application Layer
- Ensure that physical access does not allow theft or intrusion
- Any interface used for administration or test purposes during development should be removed from a production device, disabled, or made physically inaccessible.
- If a production device must have an administration port, ensure it has effective access controls, e.g. strong credential management, restricted ports, secure protocols, etc.
- Provide secure protective casing and mounting options for the deployment of devices in exposed locations.
- When possible, generate unique usernames and passwords, and do not use default credentials
- Update passwords regularly and do not use devices with hard-coded passwords
- Monitor user authentication and authorization to ensure proper access control, and be sure to log both successful and failed attempts to access the device
- Shut down unnecessary device capabilities (i.e. camera, microphone, etc) to limit potential areas of exposure
- Ensure the device supports encryption of sensitive data at rest and application layer security
- Leverage firmware and software that can be updated regularly to reduce vulnerabilities
- Implement secure booting to ensure only verified software can be used on the device
- Avoid the use of public/static IP addresses when possible
- Receive only software updates from a verified source in a secure manner
- Implement a trusted anti-rollback function, to prevent unauthorized reversion to earlier software versions with known security vulnerabilities.
- Implement a site-to-site VPN solution to allow for encrypted data transmission to limit exposure to the public Internet Implement a data signing solution to ensure the authenticity and integrity of transmitted data
- Ensure continuous data traffic monitoring for anomaly/event detection
- Implement alerting tools for automatic fraud prevention
- Activate only those network interfaces that are required (wired, wireless, Bluetooth, etc.)
- Run only the necessary services over the network.
- Authenticate every incoming connection to ensure it comes from a legitimate source.
- Authenticate the destination before sending sensitive data.
- Implement code analysis tools to automatically inspect application source code and identify vulnerabilities prior to pushing to production
- Adopt a mindset of “Security by Design” into the SDLC
- Ensure timely, automated application updates to protect against evolving security risks and new virus attacks
- Use key exchange tools to enable secure updating of IoT application security keys
- Leverage certificate enrollment tools to assign each IoT device with a unique identifier, which must be verified before accessing networks and systems
Recent Security Incidents Involving IoT
There have been many recent security incidents involving IoT (Internet of Things) devices, as these devices often have weak security measures and can be easily hacked or compromised.
Here are some examples of recent security incidents involving IoT devices:
- In January 2017, a security researcher discovered that many smart locks made by the manufacturer LockState could be remotely hacked, allowing attackers to unlock the doors without the owner’s permission.
- In March 2017, it was reported that a number of internet-connected baby monitors made by the manufacturer iBaby were vulnerable to hacking, allowing attackers to access the live video feed and even talk to the baby through the device’s built-in speaker.
- In April 2017, a security researcher discovered that many internet-connected doorbells made by the manufacturer Ring were vulnerable to hacking, allowing attackers to access the live video feed and even talk to the occupants of the home.
- In May 2017, the cybersecurity firm Symantec reported that a new strain of malware called “Mirai” was targeting IoT devices, such as routers, DVRs, and security cameras. The malware was able to infect the devices and use them to launch large-scale DDoS attacks.
These incidents highlight the need for improved security measures in IoT devices, to protect against cyber attacks and protect the privacy and safety of users.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.