I received an email from a security camera vendor today. The main selling point for its product is, “You can access your video from anywhere, on any device, at any time.” In other words, “We store your data in the cloud.” Just a quick glance at its website revealed there are no third-party audits or evidence of a real security framework. Instead, there are a bunch of empty statements such as, “We take care to protect the privacy of our customers’ data.”
Needless to say, I will not be using them anytime soon. However, this sheds light on a much larger problem plaguing the entire, not so new, IoT industry: How do you manage and sufficiently protect all of these devices? Centralized web portals have become the go-to solution, making it easy for a customer to plug in their device, register in the portal and access the device from anywhere in the world.
Unfortunately, there is a price to this convenience. Without proper security controls in place, hackers can access these devices from anywhere, just as the end user can. Not only can hackers access and exploit personal data (such as up to 120 days of video, stored by the above-mentioned vendor), these devices can also be easily extended to aid in targeted attacks, including distributed denial-of-service attacks to cryptocurrency mining. Given that most devices run Linux, they are especially vulnerable to use in certain tasks, such as Mirai malware.
Despite the obvious risks, security is an afterthought to most IoT vendors. There are numerous best practices that organizations must consider when utilizing a web portal for device management, including password recovery and account lockout procedures. But the security concerns with IoT extend far beyond web portals. At times, it can feel like navigating a minefield. I’ve narrowed it down to the top five security challenges IoT vendors face today:
- Hardware security, including default credentials and network services;
- Cloud web portal security to avoid vulnerabilities such as SQL injection and cross-site scripting;
- Securing device-to-cloud flows;
- API security; and
- Establishing and maintaining proper controls for storing customer data in the cloud.
Unfortunately, there is no simple solution to these problems. As with any other product or platform that has an internet presence, security needs to be built into the management and development process from the beginning — it is much harder to address once the product or platform is established. Proper security also requires commitment at all levels of business, not just at the development level. Thus, it is highly recommended to adopt a security framework such as COSO or NIST, and utilize third-party auditors to verify that controls are indeed being followed.
In the next article in this series, I will dive a bit deeper into the security issues related to the use of web portals in IoT, including how to establish a strong security strategy, ways to ensure your security controls are in place and best practices for protecting your customers.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.