“Wake up baby!” screamed a man’s gruff voice through a baby monitor. An infant, who had been soundly sleeping a few feet away, stirred and started to cry. “I’m watching you!” yelled the man, who had managed to gain access to the monitor to be able to both see the baby, and communicate with the infant.
Stories like this are becoming more commonplace as the market for connected products booms, opening up new possibilities for unauthorized access to such devices.
But this is just one example of an IoT security breach. There’s the risk of everything from hacked cars, hacked power plants, hacked smart fridges, and, well, you get the picture.
The types of IoT security risks, however, are straightforward. The Open Web Application Security Project came up with a comprehensive list of Internet of Things security vulnerabilities that every IoT developer should take to heart.
Don't make it easy for hackers to break into your IoT system by over-relying on default passwords, weak passwords, or offering a lax "forgot password" functionality. Also beware of problems such as cross-site scripting, cross-site request forgery, and SQL injection.
Any person or bot accessing your web interface poses some risk. The biggest threat, of course, is unauthorized users who gain access to your web interface. Improving your authentication and authorization protecting credentials, and revoking them if necessary. Also make sure that app, device, and server authentication are required, and that authentication tokens/session keys are always unique.
To ensure your network services are secure, review your device's open ports and test any that are open for vulnerabilities such as DoS attacks.
To avoid problems here, check to see that none of your network traffic, mobile applications, or could connections pass along cleartext. Also, ensure your encryption protocols and how you use SSL and TLS to make sure everything is up to date.
This one is tricky. It’s by no means easy to determine precisely who should have access to your data and then to make sure that your device and components are only collecting appropriate data. Another wrinkle is ensuring that all of your users only have access to data they are authorized to receive. Edward Snowden had access to a plethora of secret NSA files, and we all know how that turned out.
This threat relates to insufficient authentication/authorization. To ensure that your cloud interface secure, clamp down on default username and passwords, lock out user accounts that fail to login after a defined number of attempts. Also, review all cloud interfaces for vulnerabilities.
By now, you may have noticed a theme. The same basic rules apply for mobile interfaces as for the cloud. Make sure to determine if credentials are accidentally exposed when connected to wireless networks and to offer two-factor authentication options.
Improving security configurability requires a multifaceted strategy spanning separating ordinary users from admins, encryption, strong password policies, and logging of security events.
One of the first priorities here is to ensure that your device can be updated. Your update files should be encrypted and transmitted using an encrypted connection. Also, ensure that the update is signed and verified and that the update server is secure.
Physical security is also a multipronged matter. Cna your storage medium be easily removed? Is your stored data encrypted? Can bad actors gain access to your ports? Or can your device be easily disassembled?
This slideshow was originally published on IoT Institute which is also powered by Penton, an information services company.
Trump and Manufacturing
The Changing Automotive Landscape
IoT and the Digitization of Manufacturing
Skilled Worker Shortage
Ask the Expert: Lean Leadership
Cloud Computing -- Sponsored by Plex
The Connected Enterprise -- Sponsored by Rockwell Automation
Industry Intelligence Market Reports