alphaspirit - Fotolia
- Dan Sullivan and James Sullivan
The Internet of Things has been a buzz term for the past several years. However, as the technology slowly trickles into our everyday lives, people are becoming more and more concerned with the security of these devices and the systems that run them. From cars to refrigerators, IoT is making its way into many households -- and the backlash against IoT security is not unfounded. The importance of IoT security testing is increasing, and for good reason.
IoT security issues unveiled
Last year, ethical hackers started showing off what they could do with networked automobiles. Fiat Chrysler recalled 1.4 million vehicles after two security researchers demonstrated they could remotely disengage the brakes and transmission of a 2014 Jeep Cherokee. The Tesla Model S was a topic of conversation at the DEF CON hacking conference when it was shown the car could be started using a laptop connected to the driver-side dashboard.
Medical devices are also potential targets for hackers. A group of students at the University of Alabama hacked the pacemaker inside a medical training robot using the device's Wi-Fi capabilities. Similarly, security expert Billy Rios found vulnerabilities in the drug infusion pumps used at a hospital after receiving surgery there. He claims the vulnerabilities could allow a hacker to remotely change the dosage of drugs administered with the pumps.
While these are all extreme situations with life-threatening consequences, organizations must be expected to properly secure their devices.
IoT security testing: A must-have
Security is not an add-on feature; it must be built into the foundation of any given device. The level of security held by a device is derived from both the architecture and coding choices made by developers. This is particularly important to keep in mind when working in IoT as a lot of security choices need to be made with the platform in mind. Commonly used security techniques, such as encryption, may be challenging for devices with little processing power. Although it is a challenge creating a secure IoT fleet, attention needs to be paid to data confidentiality and integrity, as well as the availability of IoT services.
A good way to start is by following the security practices defined by the Open Web Application Security Project (OWASP). OWASP guidelines include information about secure coding and firewall use in addition to application interface best practices. When securing your IoT fleet, the first order of business is to test the security of the device itself.
IoT security testing must be run for common Web application vulnerabilities such as cross-site scripting and cross-site request forgery, make use of public encryption algorithms when possible, and try to make the most out of firewall protection as certain devices may not support it. On the software side, make sure patches and updates can be digitally signed to prove legitimacy to the device. Devices should not assume all patching attempts are legitimate; an apparent patch could be a piece of malicious code.
In general, authentication should be as strong as possible. Test for weak passwords and mandate two-factor authentication for sensitive operations, such as setting changes. Use fuzz testing to send a wide variety of inputs to a device to probe for potential vulnerabilities related to buffer overflows or other unhandled exceptions. Also be sure to complete IoT security testing on port devices such as USBs to detect vulnerabilities. Minimizing the use of physical ports altogether will decrease the overall attack surface of your IoT device and reduce the chances of an attack. In the event that a breach does occur, it is important to enable security event logging for later analyses.
IoT security testing: Test more than just the devices
Next comes the securing of the network interacting with your devices. First look at how data is transmitted to the back end for processing; all communications should be encrypted. Protection of cloud services is also vital to the security of an IoT fleet, and some practices from securing the devices carry over to this. Use two-factor authentication and avoid weak passwords for cloud services, and test cloud interfaces for common Web interface vulnerabilities.
It is also important to only collect and store data relevant to business operations. While a data breach on personal medical records is bad enough, if the same organization is also holding financial information, it would make the attack much worse. Only store information that is relevant to business operations and customer care; this can help minimize the amount of confidential and sensitive information transmitted and stored off the device, which in turn reduces the amount of data that could be compromised in a data breach.
Building a secure IoT infrastructure and completing routine IoT security testing means covering all your bases; it includes both securing the devices themselves and the networks or cloud services they are connected to. Organizations looking to utilize IoT technology need to think in terms of securing the device, communications and the data collected all at the same time. The Internet of Things can be a powerful tool, but, much like superheroes in the movies, its greatest strength can be its greatest weakness.
About the authors:
Dan Sullivan is an author, systems architect and consultant with over 20 years of IT experience with engagements in advanced analytics, systems architecture, database design, enterprise security and business intelligence.
James Sullivan is a technology writer with concentrations in cloud database services, IoT and security. He is based out of Portland, OR.
How to make IoT security a reality
Seven enterprise IoT risks to consider
Cooking up the right IoT security strategy
Dig Deeper on Internet of Things (IoT) Security Strategy
UK’s proposed IoT cyber security law gathers momentum
New IoT Cybersecurity Improvement Law is a start, not a final solution
Operation IoT interoperability: Testing device compatibility
Flying IoT introduces new opportunities, security vulnerabilities