(Blog): With the recent release of the FTC report on IoT device security, now is the time to start evaluating the security of devices, says Don Schleede of Digi International. This includes how they are manufactured.
Security has often been an afterthought in the manufacturing process with little consideration given to how sensitive customer and user data could be accessed and what malicious actions could be taken by an Internet of Things (IoT) system if it came under the control of the wrong people. Manufacturers can take a much stronger role in protecting data and devices – and the following is a checklist of concepts that should be considered by manufacturers and included in all designs for IoT and M2M devices and processes.
- Training and Tools: Invest in targeted training to ensure your engineers and testers understand security coding techniques and can properly and fully assess the risks of their designs. Utilise programs such as Open Web Application Security Project (OWASP) and look for security certifications and training from organisations like ISC2, GIAC and EC-Council. It is also crucial to invest in tools and software that measure vulnerability, scan code for unsecure usage, and examine devices’ functions.
- Default Configurations: When your product ships, ensure that the base threshold of configuration to get the device to work is standard and part of a secure installation process for the customer. For instance, there should be no default passwords, secure protocols (e.g. https) should be in effect, and administrative interfaces should be disabled in places that may expose features to the internet. Let the customer override those features later if desired – but the initial security should be default.
- Encryption: Ensure that all ingress and egress data and control connections are done using a secure standard such as SSL/TLS. USA Federal NIST standards (such as FIPS-140-2) are also a good place to start and cover the use of encryption such as AES128 or AES256. Understand, particularly in the IoT space, when symmetric and asymmetric encryption are needed and critical.
- Hashing: Use a one-way non-decryptable technique for storing passwords. Make sure all hashes use a random salt value that will protect against many common attacks. The misuse of hashing is critical in design and has led to many breaches in the past. Recommended hashing algorithms include SHA-2 and PBKDF2.
- Identification: Ensure all actions performed by a device have some form of identification. This could range from a user logging into a device with the proper role-based access controls (RBAC) to data transmissions from the device. Keep in mind that a device needs authentication as well – and be sure the device authenticates with the collection or control application. One suggested methodology is private key infrastructure (PKI) certificates to identify and authenticate devices.
- Firmware updating: Create a process for the device to automatically update itself while in service or make it easy for the customer to update the device. Most IoT devices have long lifespans (some up to 15 years). However, the secure lifetime of a device is around six months or less. Because a secure device shipped today will no longer be a secure device in six months, manufacturers must create new software versions that can be easily mass-deployed.
If you build these functional requirements into your next IoT device, you will be in a much better position to address security concerns with future products and services — and your customer and user data will be far better protected.
The author of this blog is Donald Schleede, the information security officer at Digi International, a Minnesota-based manufacturer of embedded systems, routers, gateways, and other communications devices for machine-to-machine (M2M) systems. Schleede manages Digi’s Device Cloud, a cloud-based device-management solution that provides Digi’s customers with secure, remote access to Digi devices.