As companies and individuals expand their use of IoT products at work and at home, and those devices interact more with our private information, IoT security is more important than ever. How can developers make sure that they’re following the right protocols to protect customer data?
IoT Device Security: Why Developers Should Care
IoT products that are left physically exposed are vulnerable to being stolen and reverse engineered to identify secrets (e.g., shared keys/passwords, etc) or identify vulnerabilities in the software that can then be exploited at a later time on operational products.
Consumer IoT devices, including smart home products, often operate within environments that typically have limited security controls in place to protect against attackers exploiting vulnerabilities.
On top of all this, it’s difficult for consumers and enterprises to know whether their connected devices are physically secure because there are no well-defined security standards for IoT devices.
IP-connected security systems are listed by researchers as particularly dangerous because they use wireless communication to connect with other smart devices associated with securing a building — and that could potentially be exploited by hackers.
Assume That Hackers Will Steal Your IoT Device
What best practices should be in place for IoT device security?
When beginning any security project, it’s standard practice to assume that an attacker is going to have full knowledge and access to your code. In IoT, likewise, you should assume that the hacker will have access to your connected device.
Especially out in the field, it's pretty difficult to control whether or not someone will be able to get their hands on a device, extract the code, decompile it, and figure out what's going on. For this reason, it's important that when you're actually writing code that you aren't being lazy.
Don’t include secrets inside of the code, like secret tokens. If you're storing information, it's important that information be encrypted rather than just storing information in plain text — like WiFi credentials.
Install Tamper-Proof Hardware
In addition to securing your code, you’ll want to install physical hardware to protect your device and sensitive data.
Cryptoprocessors are microprocessors that you can include in your IoT products to outsource your encryption for you — handling your tokens, certificates, etc. You attach the piece into your schematic and write special code to ensure your device can interact with it. Typically, cryptoprocessors are tamper-proof. If a hostile party tries to open the device, the cryptoprocessor may stop working, or the interference will become obvious on the device.
Think About What’s Being Stored on the Device
What about especially vulnerable devices that store a lot of sensitive data? Before you go develop an expensive security protocol for the device, ask: why am I leaving something containing such critical information in a place where people can easily access it?
Think about your personal smartphone or computer. These objects probably contain a lot of your personal data. Would you leave them out on your porch if you lived right next to a busy pedestrian street?
Keep in mind that the best method to keep sensitive data secure is often to keep it far, far away from any potential risks. If your device must store or interact with sensitive data, make sure it’s in a place where it’s always monitored closely. If the device communicates via network connections, take the necessary steps to secure the network before releasing the device into the wild.
Consider Cost-Effective Methods for IoT Security
So, what if you have a device that needs to be secure, but you’re not confident it’s worth a high-dollar security investment?
Maybe it’s a smart water valve or an internet-connected fish tank like the one we built with Koller Products. Chances are, you’re not terribly worried about a hacker breaking in and nefariously changing the colors of the lights in your fish tank. All the same, it’s a good idea to follow some sort of best practice for protecting devices from bad actors.
This is where client-side SSL comes in, a practice we implement regularly at Very. When we provision a device, we generate a unique secure key. We make that key part of the IoT firmware and upload it to the device. Whenever the device is out in the field, that key is in charge of managing communication back to the internet, the cloud, and secure communications and processes.
If an attacker were to somehow get ahold of that device and get ahold of that key, they wouldn't have access to everything. They would only have access to a very small attack surface, meaning they could cause less damage.
Educate Consumers on Security Measures
User or customer education is always important in technology security. When the web first started out, for example, people were creating lots of personal accounts and using terrible passwords that put their accounts at risk of being compromised. We had to explain to consumers that “123456” and “password” were too easy to guess.
Similarly, with IoT, we need to educate consumers about best practices, like:
1. Guarding your smart devices. Consumers need to understand that if their IoT devices have sensitive information, it’s important that they don’t leave it in an exposed area. If the device connects to the internet, for example, it may contain the customer’s WiFi credentials, which could be manipulated by malicious parties.
2. Inspecting the IoT products you buy. Keeping in mind that there are no set standards for IoT security, customers need to be thoughtful about their purchases. If a consumer wants a security camera outside their house, for example, they should consider one that doesn’t store personal information on the device itself. Instead, it might store data on a hub kept inside that wirelessly connects to the camera outdoors.
3. Proper disposal of IoT devices. Consumers need to know the proper procedures for selling, giving away, or disposing of IoT devices. Many of these products, like smart light bulbs, may still store WiFi credentials that they wouldn’t want to share with others — especially not people digging through trash cans looking for opportunities.
Only you can prevent forest fires, and sometimes, the user is the most valuable asset for maintaining IoT security. By educating those users, carefully crafting your IoT solutions, and implementing secure processes, you can protect yourself and your customers.