Since I started this series, it seems that not a week goes by without another IoT-related security story in the news, with most of the coverage still focusing only on the hardware. However, unlike Wi-Fi routers, phones and other standalone things, IoT devices like a Nest thermostat that regularly communicate back to the cloud and allow the user to entirely manage his individual thermostats via a convenient web cloud portal have complicated the security landscape.
Needless to say, this approach introduces its own set of security challenges. Instead of running a phishing campaign to discover and compromise individual devices, a hacker now has a single target — once the management portal is compromised he can gain access to thousands or even millions of devices, and in the case of video camera software, access to actual video footage.
Unless secure coding practices are followed and strict security controls are implemented and audited on the application and network level, it is highly likely that such an application will be hacked, as is what happened to a one smart start IoT device in this article.
So, what are the best practices that need to be followed when building a centralized IoT management portal?
In addition to building an application, one must ensure that it stays secure by implementing regular vulnerability scans, penetration tests and security code audits. And it is paramount not to overlook other potential attack vectors, such as adjacent applications, servers and more. After all, you are as secure as your weakest link, as I outlined in one of my previous blog posts.
In order to track all the security tasks, it is also highly recommended to implement a full Information Security Management System. Standards such as ISO 27001 can be used as the basis for one.
Next month, I will dive into the challenges of securing IoT devices to cloud communications.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.