A security checklist to protect sensitive customer and user data in the Internet of Things

(Blog): With the recent release of the FTC report on IoT device security, now is the time to start evaluating the security of devices, says Don Schleede of Digi International. This includes how they are manufactured. 

Security has often been an afterthought in the manufacturing process with little consideration given to how sensitive customer and user data could be accessed and what malicious actions could be taken by an Internet of Things (IoT) system if it came under the control of the wrong people. Manufacturers can take a much stronger role in protecting data and devices – and the following is a checklist of concepts that should be considered by manufacturers and included in all designs for IoT and M2M devices and processes.

538512109

  • Training and Tools: Invest in targeted training to ensure your engineers and testers understand security coding techniques and can properly and fully assess the risks of their designs. Utilise programs such as Open Web Application Security Project (OWASP) and look for security certifications and training from organisations like ISC2, GIAC and EC-Council. It is also crucial to invest in tools and software that measure vulnerability, scan code for unsecure usage, and examine devices’ functions.
  • Default Configurations: When your product ships, ensure that the base threshold of configuration to get the device to work is standard and part of a secure installation process for the customer. For instance, there should be no default passwords, secure protocols (e.g. https) should be in effect, and administrative interfaces should be disabled in places that may expose features to the internet. Let the customer override those features later if desired – but the initial security should be default.
  • Encryption: Ensure that all ingress and egress data and control connections are done using a secure standard such as SSL/TLS. USA Federal NIST standards (such as FIPS-140-2) are also a good place to start and cover the use of encryption such as AES128 or AES256. Understand, particularly in the IoT space, when symmetric and asymmetric encryption are needed and critical.
  • Hashing: Use a one-way non-decryptable technique for storing passwords. Make sure all hashes use a random salt value that will protect against many common attacks. The misuse of hashing is critical in design and has led to many breaches in the past. Recommended hashing algorithms include SHA-2 and PBKDF2.
  • Identification: Ensure all actions performed by a device have some form of identification. This could range from a user logging into a device with the proper role-based access controls (RBAC) to data transmissions from the device. Keep in mind that a device needs authentication as well – and be sure the device authenticates with the collection or control application. One suggested methodology is private key infrastructure (PKI) certificates to identify and authenticate devices.
  • Firmware updating: Create a process for the device to automatically update itself while in service or make it easy for the customer to update the device. Most IoT devices have long lifespans (some up to 15 years). However, the secure lifetime of a device is around six months or less. Because a secure device shipped today will no longer be a secure device in six months, manufacturers must create new software versions that can be easily mass-deployed.

If you build these functional requirements into your next IoT device, you will be in a much better position to address security concerns with future products and services — and your customer and user data will be far better protected.

Digi's information security officer, Don Schleede
Digi’s information security officer, Don Schleede


The author of this blog is Donald Schleede, the information security officer at Digi International, a Minnesota-based manufacturer of embedded systems, routers, gateways, and other communications devices for machine-to-machine (M2M) systems. Schleede manages Digi’s Device Cloud, a cloud-based device-management solution that provides Digi’s customers with secure, remote access to Digi devices.

Recent Articles

realme CEO unveils 2021 plans following international awards

Posted on: January 15, 2021

According to the CEO of realme, though challenging year 2020 saw “positives on many fronts for realme, from corporate to product to design and more”. realme cemented its position as a mainstream global smartphone brand, ranking 7th overall in terms of shipments.

Read more

Where old meets IoT, SaaS integration

Posted on: January 15, 2021

Old meets new in the Internet of Things (IoT). It has been seen that we as humans only look forward when supported by evidence we already know (the past). This means, says Joseph Zulick of MRO Electric and Supply, that it becomes harder to find solutions that we have not already considered.

Read more