The IoT botnets are behind mass outages and various types of fraud, proving that IoT security is essential. If you don't commit to designing it from the start then you're pretty much guaranteeing yourself a tabloid-headline-scale PR disaster later (and possibly very large GDPR fines if you hold customer data).
Security is an area where it definitely pays to buy from an expert because it's very easy for a novice to make mistakes which blow security wide open. The "Shodan" search engine crawls the web looking for IoT devices - for example, to find connected devices or serviceswith public interfaces, create an account and search for "product:webcam" (283k devices at the time of writing) or "product:MQTT" (44k brokers).
Securing the device end
A key concept in any internet communications is that security is "end-to-end": you can't trust the middle because it's the public internet so anyone can see and tamper with your messages. But by securing both ends, you can send encrypted messages between them.
The cloud end is easy to secure using standard web services and practices. But the device end is far more problematic for many reasons, including that often:
- There is no device "user" (on a smartphone the user can enable authorisation procedures such as out-of-band key exchange)
- Devices are made in far Eastern factories, often physically insecure and riddled with viruses, and may clone your device
- Devices are deployed into the real world where bad actors can physically attack them and dig out their secrets
- Default passwords configured by vendors are often not changed by installers
- CPUs in low-cost and battery-powered devices may not have the security features of their more expensive/power-hungry cousins
So a key challenge is to establish a "root of trust" at the device end.
Top tip: don't put a single "pre-shared key" into every device.
At the heart of most IoT devices is an ARM processor, and the many vendors selling ARM processors are now starting to add features such as hardware TrustZone even to low-end processors.
Vendors who specialise in IoT security include...
- Gemalto (SIMs to install into untrusted hardware)
- Secure Thingz (hardware security modules to program your devices securely even in an untrusted factory)
- Mocana (trusted platform modules complemented by a complete end-to-end set of security processes).
Some vendors seem to be focused on applications such as factories and businesses where devices sit on an intranet (a finite domain which can be scanned and monitored) and behind a firewall (so the perimeter can be protected) and wher ethe major thread model is humans carrying virus-laden USB sticks across that perimeter. These vendors include...
But this "clean network" model cdoesn't fit into the modern world - and especially not that of IoT deployments. For example, just consider the modern home: high-capability devices (often with independent communications) from no-brand suppliers are placed on a network with no IT support. More and more, the same is happening with all networks, even in industrial and other applications. Vendors such as DarkTrace are therefore an important complement to firewall-type solutions.
So what does this mean?
Despite your best efforts, assume you've got security wrong and consider the following:
- Hiring an IoT penetration tester
- Using a "white hat" to crawl over your hardware, software and processes to look for likely weaknesses
- Check out this great checklist of possible IoT threats you should consider (the "attack surface")
- Although it isn't a security solution per se, DevicePilot can help you manage your security, for example by auditing whether software has been upgraded. It can also keep track of the "vital signs" of your devices and alert you quickly to security and other issues.