Skip to main content Skip to main menu Skip to footer

IoT - Internet of things

IoT - Internet of things

Decrease Text Size Increase Text Size

Page Article

As consumers buy more smart watches, activity trackers, holographic headsets, and other Internet of Things (IoT) devices, the need for improved security on these devices will become more pressing. Online criminals could exploit these new devices to conduct data breaches, corporate or government espionage, and damage critical infrastructure like electrical grids.

  • Don’t connect your devices unless you need to.   The first step is to consider what functionality you need from the device. Just because your TV or fridge can connect to the internet, doesn’t mean you definitely want to hook it up. Take a good look at the features it offers and learn exactly what internet connectivity brings before you connect.
  • Create a separate network.  Many Wi-Fi routers support guest networking so that visitors can connect to your network without gaining access to shared files or networked devices. This kind of separation also works well for IoT devices that have questionable security.
  • Pick good passwords and a different password for every device.  It’s very important to pick strong passwords, but you must also make sure that you pick a different password for every device. If a hacker manages to get one of your passwords, they will typically try it with other services and devices. Reusing passwords is not a good idea. Use a password manager to keep track of all your passwords.
  • Turn off Universal Plug and Play (UPnP). Sadly, UPnP can make routers, printers, cameras and other devices vulnerable to attack. It’s designed to make it easier to network devices without configuration by helping them automatically discover each other. The problem is that hackers can also potentially discover them from beyond your local network because of vulnerabilities in the UPnP protocol. Is best to turn UPnP off completely.
  • Make sure you have the latest firmware.  If you want to make sure you have the latest security patches and reduce the chances of a successful attack, then you need to keep your firmware fully updated. Vulnerabilities and exploits will be fixed as they emerge, so your IoT devices and your router need to be regularly updated. Automate this wherever possible or set a schedule to check for updates every three months or so.
  • Be wary of cloud services.  A lot of IoT devices rely on cloud services, but the requirement for an internet connection in order for something to function can be a real problem. Not only will it not work when the network is down, but it may also be syncing sensitive data or offering another potential route into your home. Make sure you read up on the provider’s privacy policy and look for reassurances about encryption and data protection.
  • Keep personal devices out of the workplace.  Don’t take your personal IoT devices to work. There are lots of potential security concerns for wearables. Every enterprise should have a clear BYOD policy, and it’s often a good idea to prohibit personal IoT devices from connecting to the network, or at least limit them to a guest network.
  • Track and assess devices.  Businesses need to track everything connected to the network and monitor the flow of traffic. Devices need to be assessed to determine the level of access they should have, to keep them fully patched and up to date, and to protect data end-to-end to preserve its integrity. Unknown devices should flag an alert. Understanding which devices are connected and what they’re doing is a prerequisite for proper security.

For Smart T.V. Security

  • If your smart TV runs on the Android platform, go to the Google Play store and download any of the security apps designed to protect your Android smart phone.
  • If your Wi-Fi router allows you to create multiple accounts, set up a guest account for your TV. This way they're not on the same network as my PC and laptop where you do all of my sensitive stuff. 
  • Make sure that "firmware" -- permanent software built into a computing device's read-only memory -- is up to date when you first use the TV and set it to automatically accept future firmware updates as they become available.
  • Be careful when installing new applications because they could be hiding malware. Your best bet: Avoid apps from unknown sources and non-official locations.
  • Limit what you do online via that television. Even though these TVs make it easy to get online, don't use them to do anything that involves account numbers, PINs, passwords or other sensitive information.
  • Don’t do any kind of financial transaction through your TV is a really bad idea.

The top 10 internet of things vulnerabilities

Insecure Web interface

Overview: An attacker uses weak credentials, captures plain-text credentials or enumerates accounts to access the web interface.

How Do I Make My Web Interface Secure?

  • Default passwords and ideally default usernames to be changed during initial setup.
  • Ensuring password recovery mechanisms are robust and do not supply an attacker with information indicating a valid account.
  • Ensuring web interface is not susceptible to XSS, SQLi or CSRF.
  • Ensuring credentials are not exposed in internal or external network traffic.
  • Ensuring weak passwords are not allowed.
  • Ensuring account lockout after 3 -5 failed login attempts.

Insufficient authentication or authorization

Overview: An attacker uses weak passwords, insecure password recovery mechanisms, poorly protected credentials or lack of granular access control to access a particular interface.

How Do I Make My Authentication/Authorization Better?

Sufficient authentication/authorization requires:

  • Ensuring that the strong passwords are required.
  • Ensuring granular access control is in place when necessary.
  • Ensuring credentials are properly protected.
  • Implement two factor authentication where possible.
  • Ensuring that password recovery mechanisms are secure.
  • Ensuring re-authentication is required for sensitive features.
  • Ensuring options are available for configuring password controls.

Insecure network services

Overview: An attacker uses vulnerable network services to attack the device itself or bounce attacks off the device.

How Do I Secure My Network Services?

  • Ensuring only necessary ports are exposed and available.
  • Ensuring services are not vulnerable to buffer overflow and fuzzing attacks.
  • Ensuring services are not vulnerable to DoS attacks which can affect the device itself or other devices and/or users on the local network or other networks.
  • Ensuring network ports or services are not exposed to the internet via UPnP for example.

Lack of transport encryption

Overview: An attacker uses the lack of transport encryption to view data being passed over the network.

How Do I Use Transport Encryption?

  • Ensuring data is encrypted using protocols such as SSL and TLS while transiting networks.
  • Ensuring other industry standard encryption techniques are utilized to protect data during transport if SSL or TLS are not available.
  • Ensuring only accepted encryption standards are used and avoid using proprietary encryption protocols.

Privacy concerns

Overview: An attacker uses multiple vectors such as insufficient authentication, lack of transport encryption or insecure network services to view personal data which is not being properly protected or is being collected unnecessarily.

How Do I Prevent Privacy Concerns?

  • Ensuring only data critical to the functionality of the device is collected.
  • Ensuring that any data collected is of a less sensitive nature (i.e., try not to collect sensitive data).
  • Ensuring that any data collected is de-identified or anonymized.
  • Ensuring any data collected is properly protected with encryption.
  • Ensuring the device and all of its components properly protect personal information.
  • Ensuring only authorized individuals have access to collected personal information.
  • Ensuring that retention limits are set for collected data.
  • Ensuring that end-users are provided with "Notice and Choice" if data collected is more than what would be expected from the product.

Insecure cloud interface

Overview: An attacker uses multiple vectors such as insufficient authentication, lack of transport encryption and account enumeration to access data or controls via the cloud website.

How Do I Secure My Cloud Interface?

  • Default passwords and ideally default usernames to be changed during initial setup.
  • Ensuring user accounts cannot be enumerated using functionality such as password reset mechanisms.
  • Ensuring account lockout after 3- 5 failed login attempts.
  • Ensuring the cloud-based web interface is not susceptible to XSS, SQLi or CSRF.
  • Ensuring credentials are not exposed over the internet.
  • Implement two factor authentication if possible.

Insecure mobile interface

Overview: An attacker uses multiple vectors such as insufficient authentication, lack of transport encryption and account enumeration to access data or controls via the mobile interface.

How Do I Secure My Mobile Interface?

  • Default passwords and ideally default usernames to be changed during initial setup.
  • Ensuring user accounts cannot be enumerated using functionality such as password reset mechanisms.
  • Ensuring account lockout after 3 - 5 failed login attempts.
  • Ensuring credentials are not exposed while connected to wireless networks.
  • Implementing two factor authentication if possible.

Insufficient security configuration

Overview: An attacker uses the lack of granular permissions to access data or controls on the device. The attacker could also us the lack of encryption options and lack of password options to perform other attacks which lead to compromise of the device and/or data.

How Do I Improve My Security Configurability?

  • Ensuring the ability to separate normal users from administrative users.
  • Ensuring the ability to encrypt data at rest or in transit.
  • Ensuring the ability to force strong password policies.
  • Ensuring the ability to enable logging of security events.
  • Ensuring the ability to notify end users of security events.

Insecure software or firmware

Overview: Attacker uses multiple vectors such as capturing update files via unencrypted connections, the update file itself is not encrypted or they are able to perform their own malicious update via DNS hijacking.

How Do I Secure My Software/Firmware?

  • Ensuring the device has the ability to update (very important).
  • Ensuring the update file is encrypted using accepted encryption methods.
  • Ensuring the update file is transmitted via an encrypted connection.
  • Ensuring the update file does not expose sensitive data.
  • Ensuring the update is signed and verified before allowing the update to be uploaded and applied.
  • Ensuring the update server is secure.

Poor physical security

Overview: Attacker uses vectors such as USB ports, SD cards or other storage means to access the Operating System and potentially any data stored on the device.

How Do I Physically Secure My Device?

  • Ensuring data storage medium cannot be easily removed.
  • Ensuring stored data is encrypted at rest.
  • Ensuring USB ports or other external ports cannot be used to maliciously access the device.
  • Ensuring device cannot be easily disassembled.
  • Ensuring only required external ports such as USB are required for the product to function
  • Ensuring the product has the ability to limit administrative capabilities.




Related Topics

Related:

Page Footer has no content