Securing IoT Part II: Security by Design for Devices

January 15, 2021

Security by design for IoT devices means envisioning security vulnerabilities at the concept stage of IoT device manufacturing. This allows for the strategic implementation of hardware and software solutions to combat potential threats.

In 2018, The UK Department for Digital, Culture, Media and Sport published a “Code of Practice for Consumer IoT Security” to regulate security standards for consumer IoT devices and services. The code of practice contains the following guidelines.

No default passwords

IoT devices developed with default usernames and passwords are expected to be changed by consumers, who may not do so. Hackers can gain information on these default logins and infiltrate the device. Thus, all IoT device logins should be unique and not resettable to a universal setting.

Implement a vulnerability disclosure policy

To stay ahead of infiltrators, IoT manufacturers should monitor for and resolve security vulnerabilities within their products. Discovered vulnerabilities must be reported to stakeholders upon detection so they can address any security concerns.

Keep software updated

Security patches and software updates should be provided to connected devices. The basic functions of the device should continue to operate while updating. The length of support a device will receive during its lifetime or a date of replacement for devices that cannot be updated must be communicated directly to the consumer.

Securely store credentials and sensitive data

Hackers can easily obtain credentials through reverse engineering. Secure storage mechanisms should be used to protect sensitive data such as cryptographic keys, device identifiers and initialization vectors. Hard-coded credentials in device software are not advised.

Communicate securely

Sensitive data should be encrypted in transit.

Minimize exposed attack surfaces

To minimize attack opportunities, devices should operate on the principle of least privilege. Services should not be available if not used, and hardware ports and other access points should close when not in use.

Ensure software integrity

To circumvent attacks, software on IoT devices should use a secure boot. The device should alert the consumer or administrator if an attack is detected.

Ensure the protection of personal data

To protect personal data, IoT device manufacturers should give users clear information on how their data is used, by whom and for what purposes. Personal data must be processed in accordance with data protection laws.

Make systems resilient to outages

As IoT devices and services are commonly used for safety or otherwise life-impacting functions, services should remain operational and locally functional in the case of network loss. Devices should recover cleanly once the network is restored and not pile up in a massive scale reconnect.

Monitor system telemetry data

To swiftly detect security threats, telemetry and log data collected from IoT devices should be monitored for unusual activity.

Make it easy for consumers to delete personal data

To keep personal data secure, consumers should be given clear instructions on how to remove their data from devices in the case of disposal or transfer of ownership.

Make installation and maintenance of devices easy

Security issues can be caused by consumer lack of knowledge, confusion or misconfiguration. To reduce threats, user design should avoid complexity, and consumers should be provided clear guidance on how to securely configure devices.

Validate input data

Attackers often use automated tools to exploit data. Thus, data transferred via APIs or between networks should be validated.

National Cybersecurity Standards in the US

Though the US recently implemented national IoT cybersecurity standards for controlled unclassified information (CUI), it has yet to establish national guidelines for consumer IoT. In the meantime, the UK’s “Code of Practice for Consumer IoT Security” can be followed for manufacturers looking to increase their consumer device security.

>>>Read Securing IoT Part III: The Cloud