In an effort to make the use of IoT devices safer, last year the US Senate introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 This bill proposes the minimal cybersecurity operational standards for Internet-connected devices purchased by Federal agencies and for others.
It outlines the various clauses that contractors have to adhere to for IoT devices including timely patching of vulnerabilities, use of secure protocols and password policies, and other key best practices. However, the bill applies to contractors that sell to the US government and may not have a direct impact on the other IoT manufacturers. The point to consider is whether these devices are the same as sold to consumers?
Rush To Market - A Hinderance on Security
Given the proliferation of IoT devices, our Security Engineers have been performing a lot of security assessments on IoT consumer devices. Based upon numerous conversations with vendors and IoT architects, what is clear is that "It’s all about shipping the devices on time”. This rush to market pressure leaves little to no time for to consider security.
Compounding the issue is the assumption (or blind hope) that others in the supply chain have already made sure the product is secure. This unfortunately is as often common with enterprise devices as it is with consumer IoT devices. Things are improving but making sure consumer IoT devices are secure, is a shared responsibility between the manufacturers and consumers. Devices are almost always optimized for user experience and simplicity, and are often shipped with many security features disabled.
Configuring Security Options for At-Home IoT Devices
Reducing the risk of IoT devices used at home often requires thoughtful configuration of security options that I describe below:
Securing Device Interfaces
Most IoT devices run a publicly accessible web and device interface that can be used for configuring the devices. Employ the following practices to make sure that the exposed interfaces do not increase your susceptibility to attacks:
1. Disable The Web Interface
if you do not plan to use it
- Enable the option of forcing all the connections to and from the IoT device over a secure TLS channel. If your device supports HTTPS.
- Set a complex password policy. Refer to tips from `Insecure Access Control` to do so.
- Create a whitelist of IP addresses that can connect to the device. Make sure to use it to secure access to your devices further.
- Enable Multi-factor authentication to the available interfaces.
- Disable physical ports if an option, to disable unwanted physical controls on the device.
- If using a mobile device to configure the IoT device, ensure that multi-factor access to the device (eg: PIN/biometrics) is in use.
2. Secure Access Control
Most IoT devices open a public port and can be accessed over the internet or your local intranet. If you own a device that has a publicly accessible interface.
Change the default passwords using best practices such as:
Passwords must contain at least 8 characters
Passwords must not contain the username, or email address
Passwords must contain at least 1 letter from each character type: lowercase letters, uppercase letters, numbers, and special characters
3. Enable Additional Access Control Options if Provided
- Enabled password history and disable password reuse. Configure the setting to remember the last 5 password hashes, to prevent reusing previous passwords.
- For devices that have a separate administrative account, passwords should contain at least 14 characters.
- Enable password expiry after a certain amount of time. When the password expires, force the user to create a new one.
- Enable account lockout if the device supports it.
- Many devices ship with default usernames and device names. Create a new user account and then disable the default username. You can change the device names using the device settings to make it difficult for the attackers to fingerprint your device.
- If the device does not need to be in the same network as other personal devices, put the device in a separate network with other similar devices.
- Restrict remote access to device administrative services such as SSH (22), Telnet (23) and HTTP/HTTPS (80/443) over the internet. This can be done by means of firewall rules on your home router.
- Some devices are known to have code execution or information leakage vulnerabilities which can be exploited only with physical access to the device. To secure against this, monitor access to the device. If these devices are placed outdoors, ensure that all the relevant security patches are applied on time.
4. Securing Consumer Personally Identifiable Information:
Consumer IoT devices collect device and usage analytic information. This information is sent to vendors so that they can improve the user experience. Device logs shared with the vendor can contain sensitive personally identifiable information (PII). As consumers we can restrict the amount of sensitive information that is shared.
- Most IoT devices ship with an option to disable diagnostics and usage reports from being shared with the device manufacturers. Make sure that the privacy settings are enabled.
- For privacy reasons, you can disable location and ad tracking unless it is explicitly needed.
- When installing apps on your iOS and Android devices, make sure to verify the permissions requested by the application. Allow access to resources that you absolutely need.
- Avoid entering sensitive information like full names, addresses, date-of-birth, phone numbers, credit-card information
- Disable services like Bluetooth, WiFi, NFC if not needed on the device.
5. Securing Device Firmware:
Time to market pressures almost guarantee that vulnerabilities will be discovered after the product is released, which is why organizations have a patch management process in place. Depending on vulnerability criticality, the stable patches are pushed to the devices as soon as possible, ideally via over the air (OTA) updates.
- Frequently check for software updates. Install updates as soon as they arrive.
- Enable the option, if available, to automatically download and install software and firmware updates.
- Enable the option to run scheduled device software and firmware updates.
Be Sure to Check out Our 4-Step Guide To Better Online Safety.