IoT Security Must-Haves – Part 2
Introduction
This is Part Two of our series on Internet of Things (IoT) Security. In this second entry we continue our discussion of important security protections for IoT devices and systems. We are expanding our list to include five additional security must-haves, #6 through #10, which cover unique but equally important security protections for IoT.
In our last security blog post we discussed must-haves #1 through #5 which include
- Secure Identity
- Secure Communication
- Secure Storage
- Secure Boot
- Secure Over-The-Air Updates
If you haven’t read part one, we highly encourage you to check it out and come back here afterwards.
As we said last time, if you don’t have these must-haves in your product, then you could be overly vulnerable to attack.
The Principle of Least Privilege
Before we continue, we want to review an important principle that should be at the top of mind when implementing security protections in any IoT system. This is called the Principle of Least Privilege.
This principle roughly means that users and system components should only have access to information and resources that are absolutely necessary to perform a legitimate task. This not only reduces the risk of vulnerabilities to attack, but it also improves the safety and reliability of systems by making it less possible for mistakes to propagate through the system.
This principle should be applied throughout all layers of an IoT system. Several of our must-have security protections on this list are direct applications of this very important principle. The best approach is to start with tight permissions and then loosen them as necessary. Taking the opposite approach can result in oversights that leave systems open to attack.
Must-Have #6: Strong User Authentication
What is it?
Most IoT systems require users to access their devices through a unique user account. Only valid users should be able to access their account data and interact with their IoT devices. Therefore, IoT systems need to support user account management such as signing up, signing in, and signing out users.
How does it work?
Rolling your own user account system is not such a good idea. Getting it right takes careful planning and execution to avoid vulnerabilities to attack. Cloud service providers offer user authentication services that make supporting user accounts straightforward. All protected interactions with the system, whether they originate through web, mobile, or other applications, can pass through such services to allow users to log in and authenticate themselves. Leveraging a service like this takes away a lot of the hassle and ultimately makes for a more secure solution.
AWSoffers a service called Cognitothat provides software development kits (SDKs) for several types of application environments. Using SDKs, your application can sign up users and send login requests through the Cognito cloud APIs. If a login is successful, the service will provide a temporary access token. The application uses this access token to unlock actions that require privileges. All this communication happens inside a secure channel, so the tokens are protected. Cognito also supports federated identity providers so your users can use their existing Google, Facebook, Apple, or Amazon accounts to log in. It also supports Multi Factor Authentication for better security.
Similarly, Microsoft Azure provides a service called Azure Active Directory B2C, which is an identity management service that provides multi-factor customer account authentication.
Why is it important?
User accounts help prevent unauthorized activity. They also allow for user experience customization and the storage of user specific data and configurations.
Must-Have #7: Identity and Access Management 
What is it?
Properly protecting an IoT system demands that access to information and resources be strictly controlled. This requires application of “The Principle of Least Privilege”, as mentioned above. Identity and Access Management (IAM) systems control who can access what services and resources in the system and when they can do it. This works hand-in-hand with user authentication, such that once a user is authenticated, IAM can control what the user has access to.
IAM not only governs user interactions with the outside world, but it also controls interactions on the inside, including interactions between subsystems. After users have authenticated themselves and logged into the system, they gain permission to specific actions. These actions have been granted to them in their account configuration settings which are strictly controlled by administrators of the system. Permissions are set based on security policies attached to users, roles, or groups.
Granular permissions to resources are best. There should be very clear rules about what resources are allowed to be accessed by what parties under what circumstances. This includes which users have ownership over specific connected devices in the IoT system.
How does it work?
AWS IAM is an integral part of all AWS cloud service offerings. Microsoft Azure has Azure Active Directory as well as Role-Based Access Control (RBAC), which each provide Identity and Access Management features.
Each system offers fine-grained access management of resources in their respective cloud services. Using these systems, administrators create roles and policies that enforce the controls that IoT systems need to be safe and secure.
Why is it important?
The more access you can restrict while not impeding the main functions of the system, the more damage you can limit if your systems are attacked or if there are mistakes. This will prevent misuse and also limit downtime of your IoT devices.
Must-Have #8: Firmware Best Practices & Code Reviews
What is it?
The physical devices of an IoT system represent a tempting target for would-be attackers to try to exploit. These devices are potentially physically accessible to the attackers or within their reach over a network. Keeping your devices secure means blocking potential attempts at compromising them or otherwise disrupting their operation.
Protecting devices starts at the hardware level. This requires writing good firmware code that runs on the microcontrollers or other electronic systems within the device. Firmware should be carefully evaluated and cleared of known vulnerabilities.
How does it work?
There are enough firmware best practices to fill many books on the subject. Here is a short list of our favorites.
- Close all backdoors in production devices
– Disable unused networking ports, disable debug interfaces, disable serial connection interfaces, and so on. - Never rely on passwords for device security
– There are well known techniques for discovering and exploiting default passwords. Make it a high priority to ensure they don’t exist in your code. - Always sanitize user input and practice good string handling
– To avoid buffer overflow attacks, if a function relies on input of a certain type or length, make sure anything too large or otherwise invalid, can’t be injected. - Be cautious with dynamic memory allocation
– Don’t open up the possibility for memory usage to get out of hand, exhausting system resources for valid purposes. - Peer review code
– Always document and follow peer review processes as well as coding guidelines. A healthy development culture that embraces peer reviews not only boosts security, but it also boosts the quality and overall ownership of the development team.
Why is it important?
Potential attackers have an arsenal of known vulnerabilities and techniques that could be used to compromise a device. Some of which are relatively easy to protect against, some are not. Skipping steps and rushing products to market can result in a lot of regret down the road if devices are targeted in an attack, so we recommend taking a strong security stance when it comes to your firmware.
Must-Have #9: Penetration Testing
What is it?
To gain confidence in the actual security of your systems, you need to test and verify them. This is a specialized skill that requires not only advanced knowledge in hacking techniques, but also a different mindset. For this reason, we recommend working with a security firm that focuses on this area. Their teams possess numerous years, often decades, of experience in the field. With a team that is dedicated to the bleeding edge of what new vulnerabilities and tactics are being discovered, it gives an extra layer of preemptive testing. They probe systems to identify vulnerabilities and gaps in security controls, among other areas of the product.
How does it work?
Security firms that specialize in penetration testing will have tools and techniques to break into systems such as physical devices and cloud services. They leverage security research and development to identify issues. SpinDance partners with such firms to test systems and gain reports on potential vulnerabilities that can be patched or otherwise mitigated. Security firms typically offer various services and testing methods and can help you find the right combination to ensure your product or service has a stronger level of validation and security.
Why is it important?
Penetration testing helps you identify weaknesses and strengthen your defenses against ever-changing security threats. These services can prove invaluable in their ability to help you identify potential issues before they become a problem as well as giving you peace of mind.
Must-Have #10: Security Monitoring 
What is it?
After you have implemented security protections and launched your product into production, you may be tempted to give your team a high five and declare victory. However, security is never complete and if you want to know if your systems are really secure, then you’ll need to continually monitor them.
This includes monitoring for weird behavior in the way your devices and cloud applications are being interacted with or behaving. It also includes monitoring for unusual activity in the configuration settings of your systems such as unexplained changes in security protections.
How does it work?
Cloud service providers offer services for auditing and monitoring IoT systems. They perform three main functions – auditing, monitoring, and alerting.
Auditing
- Security auditing services can check your security measures and compare against security best practices. They can also evaluate the robustness of the cryptography in use.
Monitoring
- Security monitoring services continually digest logs and watch for unusual activity in your device fleet’s behavior. For example, if there is an unusual spike in network traffic coming from one of your devices, which could indicate that it may have been compromised.
Alerting
- If there are any issues identified in the above services, you can get alerted immediately. The thresholds for what constitute unusual versus normal behavior are configurable. You have control over how sensitive you would like the security alerts to be.
AWS provides a service for monitoring for IoT vulnerabilities called AWS IoT Device Defender. This service offers auditing, alerting, and the ability to use Machine Learning (ML) to model device behaviors and detect anomalous activity.
Microsoft Azure offers Microsoft Defender for IoT with continuous monitoring for threats and vulnerabilities using IoT-aware behavioral analytics and threat intelligence.
Why is it important?
Maintaining good security is an ongoing process. Best intentions during initial development don’t always ensure a good secure product. You need to monitor and watch for issues. If an issue is discovered, you can take immediate action including quarantining devices or systems to isolate and remove the problem.
Summary
This wraps up our list of security must-haves for IoT. Security is a complex field and there is so much more that could be covered. As always, we recommend you make security a top priority and invest in education and training your team. Security should be a core consideration in everything that you do with respect to IoT devices and systems. Implementing good security does take time, but it is well worth it for the added protection in the long run. Your customers and your shareholders will thank you for it.
This might seem overwhelming, but don’t worry, companies like SpinDance are here to help. We have years of specialized IoT experience helping customers succeed. If you are building an IoT product, service, or application we are here to help you.
SpinDance is a consultant specializing in IoT. We offer several services that help our customers launch IoT products and services. These services include:
Have questions or need the guidance of an expert? We can help. Contact us
Resources
- Secure Coding: Principles and Practices by Mark G. Graff & Kenneth R. van Wyk
- Practical internet of Things Security by Brian Russell and Drew Van Druren
- Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things by Fotios Chantzis and Ioannis Stais
- AWS IoT Well Architected Lens
About the Author
Mac Lobdell is a Solution Architect at SpinDance with 20 years of experience in embedded systems and software. He holds an MBA, a BSEE, and is a Certified AWS Cloud Practitioner. As a Solution Architect, he helps define solutions that bring together good business strategy, technological innovation, and outstanding customer experiences.