IoT security is at the forefront of everyone’s mind these days due to a huge uptick in DDoS attacks coming from our newly connected devices. So far, we've seen DVRs and video cameras fall victim and become mindless drones in a malicious botnet army. After 20 years of partnering with enterprises to build software that deploys inside, outside and around their firewalls, I've learned that there are a few basic things we should always include when creating new IoT solutions to protect our creations and our companies.
Here are five things you should do right now to keep you and your company off the list of hacked IoT devices.
Change Default Settings
Every operating system, app server, device or library comes with a set of defaults that are designed to help you secure it. The original vendors created a default account and then published it so that you could easily get set up and started with the product. However, these default accounts were never intended to go into production -- you need to change those settings.
Whether it’s the default password for your Wi-Fi router or the pre-loaded Raspbian instance on your Raspberry Pi, you absolutely must change the defaults. Not making this change is leaving an open door for hackers, and embarrassing for you and your organization.
Close Unused Ports
Next up on the security stack is closing unused ports. Every device has a large number of inputs that can be used for unique communications. Whether it’s the internet, email or chat, they all run over different ports. Thankfully, cloud and modem vendors help us with this task with built-in firewalls and security profiles. That said, for those of us making new devices to power the IoT, there is no one providing this protection.
The easiest thing you can do to protect your project is to close all of the ports that your application does not absolutely need. In most cases, modifying a single configuration file can do this. Closing the unused ports is an easy way to make it harder for hackers to get into your device without you knowing.
Don’t Store Information in Plain Text
The majority of applications, whether IoT or mobile, need to store data in memory. Maybe it’s the user profile, a set of preferences, or a security key to restore connections, but in every case, there is the potential to put something in memory that could be used maliciously. While we hope that hackers are never able to access our devices, the very nature of IoT means that we are putting things in the wild to be managed by people who may not be aware of all security vulnerabilities.
When you store data, you should always choose to encrypt it so that another user, application or hacker cannot understand it. Simply having the data in a format that isn’t immediately understandable goes a long way towards keeping your application from being a hackable target.
For businesses: Before you decide to store lots of information about your users, consider whether that information is actually valuable. So many apps have raised their target profile simply by storing things that were of interest to others. If you don’t need geo-location data, don’t store it.
Encrypt Your Communication
For years we've been encrypting information to protect it from snooping third parties. These encryption methods have now become the backbone of trust on the internet – we feel safe that our credit card number is transferred securely, that only our friends see our photos, and that true professionals review our medical records.
Thankfully, the process of applying third-party trust is well established and simple to follow. Whether you use Geotrust, Digicert or Letsencrypt, you should always spend the effort and money to give yourself and all of your users confidence that their data cannot be spied on.
Make Device Updates Required
The last task of managing devices, though challenging to do by yourself, remains critical. The reality we all face is that critical security vulnerabilities will continue to be found. New exploits will be discovered, making the software we leverage today out of date. To overcome such a frustrating reality, we need the ability to update our software even after it's been deployed and is operating in production. More than ever, the IoT requires that our encryption libraries, operating systems and protocols be continuously updated to the latest and most secure versions.
To accomplish this you can DIY, leverage an IoT platform or purchase device management software. In every case, keeping track and maintaining a healthy device ecosystem is the only way you can protect your IoT solution. If you're going to go this one alone, I recommend starting with a base operating systems designed for automatic updates. Using technologies like Ubuntu AutomaticSecurityUpdates or Debian UnattendedUpgrades will simplify the task of getting your core foundation correct.
While many think that recent IoT hacks are sophisticated and unstoppable, the reality is that most of today’s attacks can be stopped with some well known, basic practices. Following the tips above will help keep your new IoT solution from falling easy prey to malicious attackers.
