The Ultimate IoT Security Checklist

By the end of 2020, there will be 21B IoT devices worldwide, creating a massive network of self-driving cars, connected energy grids, and smart appliances. As innovative companies build towards this connected future, they must constantly evaluate the risks that come with these large IoT security networks.

This blog will detail the unique risks of connected devices and best practices for IoT security. It is based on the advice of experienced professionals and leaders in this emerging field. It includes:

What is IoT Security?

IoT security is a matter of protecting connected devices and their adjacent networks from potential security threats (whether from competitors, nation states, or malicious insiders). The practices and technologies used to secure connected devices are constantly evolving because new hacks and security vulnerabilities are discovered all the time. That means a robust IoT security solution must include features and practices that keep connected systems secure today and tomorrow.

An Exploration of IoT Security

IoT-security

In October 2016, a botnet of IoT security cameras and routers attacked Dyn, a prominent domain and service provider. Dyn underwent a massive internet outage that cost millions of dollars in productivity losses alone. In the wake of the Dyn hack, many decision makers realized that they needed to consider not just functionality, but security and reliability as key features of the IoT platforms they were buying.

The Dyn hack, while the most visible, is not the only example of critical IoT security failures in recent years. Vulnerabilities in some solar panels allow hackers to spy on and control power access to homes. Security holes in certain toys exposed images of children and their parents to malicious third parties. In industry and consumer fields alike, security has already been compromised and data lost.

To protect devices, customers, and businesses, decision-makers must be vigilant about the unique risks of an IoT system. These risks include:

  1. Customer data exposure — Many IoT devices measure and transmit sensitive data. Fitness trackers, heart rate monitors, sleep trackers, and security systems all transmit data that could be used maliciously.
  2. Corporate data exposure — When connected directly to a company’s data center, IoT devices open security holes fundamentally outside the expertise of most in-house IT staff. These systems may cause catastrophic vulnerability and data loss.
  3. Physical damage — Many IoT products contain actuators which can physically harm customers if they are improperly triggered. Heating elements found in connected ovens and coffee makers can potentially cause a fire. Connected cars can be shut off mid-drive, or have their brakes disabled by a third party.
  4. High-risk downtime — Some IoT services can pose fatal threats in the case of service failure. Connected medical devices must still function correctly when offline. An automated pet feeder could endanger the life of a pet if the service supporting it has unplanned downtime.
  5. Broader liability — As detailed above, IoT hacks can create liability for physical harm that goes beyond data loss or identity theft. Hacks to these products can have existential life and property liability, which has been shifted to the companies producing connected devices.
  6. Reputation and brand damage — Brand-focused corporations can suffer massive losses in the wake of a security attack. With numerous outlets online and off, consumers have increased voice and impact. Companies must guard against any large scale news event that damages reputation.

An IoT Security Checklist For Connected Products

Developers and decision-makers can combat the unique risks of IoT by preventing potential attacks and taking actions to ensure the continued safety of their connected systems. This checklist covers areas to review in creating a minimal attack surface area, as well as features and actions key to maintaining a secure system in a rapidly evolving field.

  1. Operating Systems — Each open port and available protocol is a potential point of attack. Code on microcontroller units (MCUs) runs “bare metal” with no supporting operating system; each type of communication required by a product is intentionally added by the product developer. In contrast, many SOCs and Linux systems have multiple open ports by default, adding a vast array of attack vectors product developers may not even be aware of.
  2. Applications — There can be multiple application programs running on a full system on a chip device – and the more applications you have, the more potential there is for bugs or security vulnerabilities. It is critical to the vitality of your product to run an audit and sanitize these programs.
  3. Dependencies — Establishing a rigorous process to check that your external dependencies and libraries are up to date and validated is critical. Modern encryption and communication protocols evolve over time, and you must invest in staying current, or risk ignoring new vulnerabilities. Just like application security, a larger number of dependencies means that more maintenance must be done.
  4. Communication — Man-in-the-middle attacks, replay attacks, and loss of sensitive information are just a few of the threats that can occur if communications between the device and the cloud are not encrypted, or are encrypted poorly. Proper encryption ensures confidentiality, integrity, and authenticity.
  5. Cloud — Always on and connected servers require constant monitoring and testing.  By minimizing your network, application, and dependency surface area, and closely monitoring access and behavior, you can reduce risk for each cloud server. You should subscribe to security mailing lists and alerts for your dependencies, operating systems, and service providers.
  6. User Access and Security — Threats come in all shapes and sizes – and they could be within the company. Establish a positive culture of security and awareness for your team, educate them about phishing and social engineering attacks. Practices like two-factor authentication, strong passwords, and whole-disk encryption help reduce the scope of damage from careless user error.

Features and actions for IoT Security

All systems require maintenance to stay ahead of evolving security risks. The following features and actions help prevent future vulnerabilities.

  1. Penetration testing — Businesses can stay ahead of modern hacking techniques by repeatedly testing their systems with security researchers and fixing potential vulnerabilities as they develop.
  2. Firmware application reviews — Security experts can sanitize application flaws during firmware development, preventing fatal application flaws at a customer level.
  3. Security update mechanisms — Security protocols change and improve over time. Allowing for rapid firmware deployment to all devices at once improves security.

The Particle Approach To IoT Security

At Particle, IoT security is a constant consideration in every decision we make. You don’t have to be a certified network security engineer to use the Particle platform either. Our platform provides a secure, scalable infrastructure for IoT products, as well as easy-to-use tools for managing your devices and the software that they run. The platform includes important practices and features such as:

  1. Secure by default — Every message sent through Particle is encrypted and secure. No plaintext allowed.
  2. Hardware keys — Each device is given its own private key, so unauthorized hardware can’t sneak into your fleet.
  3. Team Access controls — An all-new feature to help businesses manage appropriate levels of access to device fleets. With team access controls, you can assign roles (a set of permissions) to each member of your team.
  4. Continuous monitoring — We monitor our servers and the security landscape to ensure your devices stay locked down.
  5. No open ports — Particle devices don’t leave any incoming ports open for port scanners or active side attacks.
  6. Encrypted radio connections — Radio connections are encrypted by industry standard WPA2.
  7. OTA firmware updates — Particle provides the best OTA firmware update experience. You can seamlessly send new firmware updates to change product behaviors or address security vulnerabilities.
  8. Two-step authentication — Particle supports two-step authentication, an industry standard security feature to help keep your account, and subsequently your fleet of devices, protected.
  9. Data policy — As a matter of policy, Particle intentionally limits the scope of user-data stored in the Device Cloud. As sensitive information passes through, the Device Cloud will secure the data, but not store it. We do not store any personally identifiable information or data that could be used to compromise products or customers in the Device Cloud.

How to start your IoT journey

Building and securing your own IoT project may seem challenging or near impossible (as a matter of fact, nearly three-fourths of self-initiated IoT projects are considered a failure, while a third of all projects were not seen as a success). The two biggest contributors to the failure rate are: lack of internal IoT expertise and platform (hardware/software) reliability.

With Particle, you have full access to IoT experts, a large community of IoT enthusiasts, support services, and professional engineering services (Particle Studios) to help you get your IoT projects off the ground. Additionally, you will be building on top of an enterprise-grade, production-tested IoT platform used across the industry.

If you are interested in building an IoT project, check out our hardware on the Particle Store, or feel free to consult our team of experts if you are interested in building an IoT project at scale. 

Additional IoT Security Resources

  1. SOC: Understanding the threat and how IT Leaders can Maintain Security
  2. The Enterprise IoT Security Checklist for Today — And Tomorrow
  3. Six Principles To Secure the Internet of Things

Author Bio