November 24 2020
The Internet of Things (IoT) has amazing potential for your business. It’s all about collecting, sharing and interacting with data in innovative ways.
Data is increasingly being referred to as the ‘new oil’; the fuel in our engines that, when used appropriately, will drive us further and faster than we could only imagine a few years ago. But with so much excitement surrounding the possibilities it’s easy to lose sight of the risks.
It’s generally accepted that you should assess the security of your new website before it goes live. Or that you should seek third party verification when changes to your IT infrastructure are rolled out (and you do those things, right?).
But would you consider doing the same when you’re adding a new coffee machine to your breakout area?
It’s rare for a month to go by without a new connected device vulnerability hitting the headlines and a quick search for IoT security stories shows just how common the issues are.
One example is the Blueborn attack. It’s a vulnerability found in the implementation of Bluetooth across multiple vendors, where an attacker could infect any unpatched device with Bluetooth turned on. The compromised device would spread the infection as it came in range of any other vulnerable device.
Sure, this requires the attacker to get close to the first device; e.g. standing near the front door of your office and exploiting anyone’s phone as they walk by. It’s far from implausible, but the day is coming when our interconnected devices are going to seriously impact the running of a business.
You wouldn’t fail to protect your business from online threats, so why leave yourself exposed via IoT devices? Here are some of the main things you need to consider, and what you need to evaluate in order to improve the security of these devices.
How do you secure your IoT device?
First of all, we advise our clients to question whether the device actually NEEDS to be connected to the internet, or if it really needs to talk to other devices. If it does, the following tips will help to improve your IoT cybersecurity:
- Don’t connect unnecessary devices to your network
For example, a smart coffee machine may need internet access to order supplies online, but it will not need to access your databases and network file shares. Reduce the risks by not connecting the device to your corporate network. Configure a network which can only reach the Internet and enable host segregation where possible (so that one device cannot talk to another).
Often the security of a network is only as good as the weakest node. Reduce risks by using appropriate segregation.
- Check if it’s web facing (greater risk than internal network only)
If the device needs to present a service directly on the Internet (such as a remote administration interface), then it’s at increased risk of attack. Anyone with an Internet connection will be able to target it, and so you must be certain of its level of security.
Most administration interfaces in IoT devices have not undergone robust security analysis and pose a genuine danger.
The advice here is:
- It is better to provide a VPN to enable remote access. This can have robust authentication including 2FA or digital certificates, which is often not the case in IoT administration interfaces.
- If a VPN is impractical, use firewall rules to limit the visibility of the service to specific source addresses. Limiting who can see it reduces the pool of attackers.
- Ensure password security
A substantial proportion of IoT security breaches have come from insecure password practices. Most devices will have a default password and attackers scour the Internet looking for user manuals and add new default passwords into their word lists. They love nothing more than a password which is true for every device that comes out of the box.
Find the user manual for your device before buying it, and look for how to change the password. Or try contacting the vendor for pre-sales support. If it is incapable of doing so then you may have found a device that has insecurities.
Most IoT devices are incapable of implementing technical password policy controls such as complexity requirements, account lockouts, or expiry settings. In this space your staff will have to select passwords meeting your complexity requirements.
When you first enable the device, generate a random password and store that centrally for safe keeping. Be sure to then create a rolling calendar reminder for IT support to alter the password manually if the device cannot do this itself.
- Check if it has the ability to update firmware/install patches
Even the most robust devices will eventually have some insecurity or functionality bug. The natural solution to this is for the vendor to provide an update. If your device has no way to update itself then it may become obsolete due to security flaws. This could cost your business big because of a design flaw.
Again, the best source of information for this before purchasing it is to check the user manual online. Or to contact the vendor.
- Disable Unnecessary Features
Most vendors strive to add features to their device, and many will turn them all on out-of-the-box. Each feature is something that can be attacked. For each IoT device you install, the best practice would be to disable as many features as possible. Review the need for everything and disable what is not required.
Doing this will reduce the so-called attack surface. Even if a vulnerability is found in a device you’re running, it may be immune to that attack if you have already disabled the feature which is being exploited.
For more information about secure IoT, contact our experts today.