Casual IoT is infiltrating office buildings and businesses everywhere. Smart TVs, wearables, smart speakers, connected printers and even consumer-grade security cameras are now deployed in the enterprise.
In the plus column, such devices are easy to set up and deploy. And in the negative column, they tend to be easy to hack.
They also open up new vistas for hackers. There’s the case of hackers who sought to steal data from a Las Vegas casino by way of a connected aquarium. And then there is the teenager who hacked 150,000 printers last year.
As the numbers of connected devices continue to expand, the problem could go from bad to worse. To help improve the sorry state of IoT device security, the nonprofit Online Trust Alliance has released a series of 10 guidelines designed to address the threat facing nearly any type of organization.
Here, we summarize the 10 guidelines while including feedback from Jeff Wilbur, director of the Online Trust Alliance.
1. Put IoT Devices on Their Own Firewalled and Monitored Network.
When it comes to connecting consumer-grade IoT devices in the enterprise, you need to take a proactive approach. “You want to have them segmented away and behind a firewall,” Wilbur said. “You can block incoming traffic to it so people can’t attack from the inside and you can control and monitor it closely.”
2. Updating Your Passwords Is a Must. Using Multi-Factor Authentication Is Also Helpful.
While using strong passwords is a standard piece of advice for internet security, there is some debate out there on what a strong password is. “I don’t know if I have a definitive answer, but the trend seems to be towards using longer passphrases that might be easier for you to remember but difficult to guess,” Wilbur said. “The shorter it is, the easier it is to crack.”
Oh, and don’t think just because you changed an “s” to a “$” or an “l” to a “1” in your passwords that you will be safe. “Because those substitutions are obvious, that would be pretty easy for an attacker to use those in a dictionary attack,” Wilbur said.
Multifactor authentication can be a relatively easy way to up the security of many IoT devices with a user interface, but it isn’t always possible.
3. Shut Down Functionality When It’s Unneeded
One of the most primal security strategies is to shrink your attack surface down as much as possible. But the question becomes: How far you are prepared to take it. “Are you going to solder a plug into a USB port? Some organizations actually do that kind of thing,” Wilbur said.
But you don’t necessarily have to get a soldering iron out to reduce your attack surface. “Smart TVs, if all you are doing is using them as a display, don’t need to be connected to anything,” Wilbur said. “Taking them offline reduces the attack surface.”
4. Check to See if Physical Access Allows Intrusion
Related to the above point, it is helpful to understand how your attack surface differs in the case that a hacker is remote versus when they are physically in the office location. There are a number of connected devices that are vulnerable after doing a hard reset. If there are any, consider locking them away, when possible.
Here, enterprise professionals must determine their risk tolerance. “How likely is someone in a conference room going to launch an attack?” Wilbur asked. “You have to at least proactively think about how far to take it instead of hanging a smart TV on the wall and never thinking about it again, without realizing what you have just done.”
5. Watch Out for Automatic Wi-Fi Connections
A fair number of consumer-grade IoT devices are designed to detect Wi-Fi and just attach themselves to any network they might find — which may be an SSID that isn’t password protected. “You want a secured Wi-Fi network; not an open one,” Wilbur said. “You want your data to be encrypted.”
6. Block Incoming Traffic When Possible. When Not, Watch Out for Open Ports
Many IoT devices ship with open ports to support management functions rather than standard functionality available via a user interface. Even some passwords permit telnet access with only an IP address.
Again, the point here is to reduce your attack surface as much as feasibly possible. That might mean completely blocking all incoming traffic with a firewall. But in other cases, that will mean only keeping open which TCP and UDP ports you need. Some IoT devices may have custom open ports that are not standard. “There are all of these unique software ports that may be available, and it may differ by device,” Wilbur said. “You may not know they are even there.”
7. Make Encryption a Default
It may not always be feasible to encrypt data for some time-sensitive enterprise applications, but for most consumer-grade IoT devices, it is possible to ensure data is never sent as clear text. When it isn’t possible to encrypt, organizations should use a VPN or other means of masking their data.
8. Do Your Research When Using Back-End Services or Apps for IoT Devices
Avoid using any web service without knowing something about it. Organizations like the Online Trust Alliance look at best practices to gauge online trust of companies that are internet- and IoT-connected. “There are a number of tools where you can assess the security of web services that might be connected to your IoT devices,” Wilbur said. Such services check to see if they, say, have good configuration for their TLS / SSL connections or whether they use trusted protocols or have sound site configurations. “There are free tools out there that we regularly reference. One is by Qualys and one is by High Tech Bridge,” Wilbur said.
Mobile apps are a little bit trickier. “There are not a lot of tools out there,” Wilbur acknowledged. “High Tech Bridge has a mobile app tool now that looks at the security and privacy of mobile apps — for Android and Apple.” But overall, there is not as much information on the security and privacy of mobile apps.
9. Update Your Firmware and Software
This advice is some of the most important on the list. If an IoT device can’t be updated, it probably shouldn’t be in your enterprise.
While most well-known consumer-facing IoT devices do support updates, inexpensive security cameras are one of the worst offenders in this regard. They often use off-the-shelf software stacks with known vulnerabilities, use hard-coded passwords and lack support for updates.
While some updates can be automated, firmware updates tend to be a manual affair.
10. Follow the Life Cycle of IoT Devices and Discard When Necessary
If a maker of, say, an IoT device suddenly goes out of business, it may be necessary to get rid of their product. In some cases, the device will still work but just won’t be patchable, which brings us back to the prior point. But in other cases, the defunct manufacturer — or a manufacturer who kills off a product line — will brick the devices it no longer makes, rendering them useless.
“This list is meant to be chronological, from when you install it to its life cycle,” Wilbur concluded. “But if I had to pick a top couple: it would be to change default passwords, which many devices have, and to keep your software updated.”