IoT devices are not going away any time soon. The estimates vary widely as to how many devices are currently in use, and how many devices will be deployed in the next few years, but the one thing that everybody seems to agree on is that IoT adoption is on the rise. The other thing people seem to agree on is that it is critical to secure IoT devices – using long-term and short-term strategies.
Early on, many IoT vendors rushed their products to market with seemingly no concern about security. Things seem to be getting better, but IoT’s reputation for being insecure has been firmly cemented. That makes IoT devices a big target, so it makes sense to consider what you can do--right now--to keep secure IoT devices.
1. Perform a password audit.
The very first thing I recommend doing to secure IoT devices is to perform a password audit against all of your IoT devices. While it is important to determine whether any of your devices are using weak passwords, it is far more important to test for default password use. Remember, nearly every device manufacturer posts its manuals online, and these manuals almost always list the default password for the device. Anyone can get access to this information, and default passwords are often a starting point for those who seek to compromise IoT devices.
Ideally, each of your IoT devices should be equipped with a random, but complex password. After all, if all of your devices share a common password, an attacker could conceivably acquire that password and take control of all of the devices. This is especially troubling since there are stories of attackers who have managed to get IoT devices to function as botnets.
2. Review the end user agreement.
One of the things that I never hear anyone talk about with regard to IoT security is the importance of reviewing the end user agreement. That’s the agreement that the manufacturer displays on screen when you initially configure the device. If you simply click OK to accept the agreement without reading it--so you can finish the deployment and get on with your day--you really don’t know what you have just agreed to. Given the extent to which devices have become known for spying, it may be worth taking the time to review the end user agreement for your devices and make sure that the device is not compromising sensitive information. If you’re not comfortable with something in the end user agreement, it may be worth adopting a competing vendor’s product.
3. Keep firmware up to date.
Just as software vendors routinely release patches for their products, reputable IoT vendors will occasionally release firmware updates to secure IoT devices. It is important to download, test and deploy these firmware updates just as you would any other patch.
4. Disable unnecessary features.
In some cases, you can enhance your security by disabling unnecessary features. To determine what’s really necessary and what’s not, spend time reviewing the feature sets of the IoT devices that you use.
Obviously, some devices are far more feature-rich than others. An IP-enabled industrial sensor, for instance, probably has few, if any, ancillary features. On the other hand, devices that are oriented more toward the end user tend to be feature-rich. In some cases, disabling even a single feature can significantly improve the device’s overall security.
For example, like many other people, I have a Wi-Fi enabled, smart thermostat in my home. This thermostat has a remote access feature that lets me remotely monitor the temperature in my home and make adjustments if necessary. I have disabled the thermostat’s remote access feature--not because I’m worried about a hacker setting the air conditioner to run at full blast, but because an attacker who gains access to the thermostat could conceivably use it as a platform for launching an attack against other devices on the network.
5. Put segmentation to use.
My goal for this blog post was to focus on immediate actions that can be taken in an effort to secure IoT devices. Even so, I just couldn’t conclude the post without mentioning segmentation. Segmentation takes some planning, so it doesn’t really qualify as something that you can do right now. Even so, segmentation is one of the most important things that you can do to keep your IoT devices secure, so I wanted to be sure to mention it.
When possible, place your IoT devices on isolated network segments. The smart thermostat I mentioned is connected to a dedicated Wi-Fi network that services only the connected devices in my home. Using this dedicated network prevents IoT devices from accessing sensitive data such as the files stored on my laptop.
Even if you cannot completely isolate a device, you may be able to use firewall and routing policies to restrict a device’s communications. For example, if a particular device communicates with a backend SQL Server, you should look for ways to prevent the device from ever communicating with anything else (with the possible exception of a management PC). This can go a long way toward keeping the device secure while also preventing data leakage.