The internet of things (IoT) is a living, breathing beast that’s surreptitiously infiltrating our lives. We now have smart cities where the street lights and trash bins are calculating data to schedule efficient lighting and trash pickup. Our homes are connected to devices that allow remote adjustment of lights and temperature to our liking. Then there’s the IoT devices in the enterprise which monitor our health in the medical industry, monitor your assets, assist with manufacturing and maintain security.
These devices are everywhere and attackers have taken notice. The DYN DDoS attack alone proved to the industry that attackers are already using IoT devices for attacks. It’s not only plausible, but has already happened and will most likely increase.
The inherit insecurity of many IoT devices has not only caused a stir in the security community, but also within the U.S Government. Over the summer we saw the proposed bill, Cybersecurity Improvement Act of 17, which references the need to secure IoT products that the government purchases to meet minimum standards. IoT devices have our attention now, but it will be up to us on how to protect ourselves and collateral damage these devices can cause.
With IoT devices having become part of our culture we need ways to reduce the risks of compromise. As an industry, we always look to have security implemented in layers. By using a layered approach, or even better a zero-trust model of security, a major factor to security becomes the protection of the machines identity. The authentication and authorization to a system is incredibly important to security and this includes IoT devices. The standards on how to secure IoT devices are still very young, but we should heavily focus on the authentication of these devices as a priority.
Depending on how authentication to these devices occurs, it’s important to reduce the risk of attackers taking over a system and controlling IoT devices for their own will or to compromise the data that might be communicated. There’s a valid concern that attackers will start compromising IoT devices with some type of ransomware or by exploiting the systems themselves and holding their authentication keys hostage. The need to encrypt the communications of IoT devices and the authentication directly to them should be mandatory in your decision to protect IoT identities.
Standards like MQTT over TLS should be viewed to secure how machine-to-machine (M2M) authentication is taking place. With many IoT devices there’s normally a large amount of direct communication between other IoT devices in order for them to function properly. This M2M traffic can be implemented in a fashion with MQTT where it utilizes a hub and spoke model to communicate and enforce security and encryption. This allows for the confidentiality of the communications between these devices and stops attackers from spoofing or sniffing credentials in cleartext. Before implementing an IoT device within your network, review the security features as they relate to authentication as a priority. Determine if you’re able to securely login to a portal or be able to enforce SSH on the devices to create secure communications to them directly.
As IoT devices continue to grow in our networks we’ll need to take steps in ensuring we’re protecting these machine identifies to reduce the effectiveness attackers have from compromising poorly configured and implemented IoT devices. This is one area that needs to be reviewed when auditing IoT security and isn’t meant to completely secure all IoT devices from harm. This layer in your IoT defense toolkit isn’t a panacea, but should be close to, if not on top of list to defend against.
Matthew Pascucci is the Cybersecurity Practice Manager for CCSI, Privacy Advocate and Security Blogger. He holds multiple information security certificates and has had the opportunity to write and speak about cyber security for the past decade. He’s the founder of www.frontlinesentinel.com and can be contacted via his blog or on Twitter @matthewpascucci