Navigating the IoT security minefield: The cloud portal
Since I started this series, it seems that not a week goes by without another IoT-related security story in the news, with most of the coverage still focusing only on the hardware. However, unlike Wi-Fi routers, phones and other standalone things, IoT devices like a Nest thermostat that regularly communicate back to the cloud and allow the user to entirely manage his individual thermostats via a convenient web cloud portal have complicated the security landscape.
Needless to say, this approach introduces its own set of security challenges. Instead of running a phishing campaign to discover and compromise individual devices, a hacker now has a single target — once the management portal is compromised he can gain access to thousands or even millions of devices, and in the case of video camera software, access to actual video footage.
Unless secure coding practices are followed and strict security controls are implemented and audited on the application and network level, it is highly likely that such an application will be hacked, as is what happened to a one smart start IoT device in this article.
So, what are the best practices that need to be followed when building a centralized IoT management portal?
First of all, in order to avoid the typical OWASP Top 10 vulnerabilities, secure coding practices must be followed. A good summary of these practices can be found in this quick reference guide.
In addition to building an application, one must ensure that it stays secure by implementing regular vulnerability scans, penetration tests and security code audits. And it is paramount not to overlook other potential attack vectors, such as adjacent applications, servers and more. After all, you are as secure as your weakest link, as I outlined in one of my previous blog posts.
In order to track all the security tasks, it is also highly recommended to implement a full Information Security Management System. Standards such as ISO 27001 can be used as the basis for one.
Next month, I will dive into the challenges of securing IoT devices to cloud communications.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.