Here is the fifth part of the blog series on the Internet of Things following its fourth part on “IoT: What the Bad Guys Could Do with Your Hacked Devices”. This part explains the difficulties in protecting an IoT device and a few security steps to safeguard against the risk at the user’s end.
Unfortunately many things are as yet unclear, and therefore not streamlined, when it comes to IoT security. That is, currently there are no proven security standards available for IoT, unlike other sectors such as health, finance, information technology, etc. which have dedicated security standards.
As a world-class security company, our mission is not only to protect people but also to create awareness about cyber security hazards associated with using state-of-the-art technology.
Interestingly, in a report from the U.S. Federal Trade Commission, the security principles a manufacturer should follow while making an IoT device are well-documented. The important ones are:
- Security by design
- Data minimization
- Notice and choice for unexpected uses
We would like to provide some additional detail. We recommend the following steps to vendors who manufacture IoT devices:
- Ensure that the appliance firmware is safe and secure by design, and by implementing known security standards, i.e. vulnerability-free.
- Ensure that the application developed to communicate with the appliance is safe and secure by design and by implementation.
- Always follow data security standards while storing and transmitting the information – this applies to the information stored on the appliance, stored in the application, and information transmitted from appliance to application and vice versa. Storing the data in an encrypted format would be preferable.
- Incorporate third-party security auditors to assess the appliance and the IoT application.
- If any security vulnerability in the appliance or application is disclosed, immediately notify the users about it and publish an update or patch as soon as possible.
As an IoT consumer, by following these simple steps, you can be better protected from the possible dangers:
- In your purchasing decision, instead of going by feature, always go by necessity. If you do not need to control your appliance remotely, then think twice before opting for a remotely-controlled IoT device. What is the use of controlling your refrigerator remotely if you use this feature only seldom? At least disable the IoT feature if not required.
- Ask the vendor about the security features that are available in the appliance, and the nature of the information stored or transmitted by the appliance, and the mode for the same.
- Ask the vendor about the security features of the application that controls the appliance, and the nature of information stored or transmitted by the application, and the mode for the same.
- Make sure that the mobile device that controls the appliance is secure and running with required security applications.
- Always use strong passwords for authentication on both the appliance and the application.
- Never share appliance passwords, application passwords and the mobile device that controls these appliances, with anyone.
- Update the application (firmware)/appliance/mobile device whenever there is an update available for the corresponding item. The automatic update feature is recommended, if available.
- Install and update the security suite software on the mobile device that hosts the IoT applications.
…to part 6: what-the-future-holds
Image credit:
phantomiot.com
Senthil Velan
Manager,Vulnerability Research
If you wish to subscribe to our blog, please add the URL provided below to your blog reader: https://labs.k7computing.com/feed/