IoT Device Security is cited by many companies as one of the main reasons they decide against connecting their devices and platforms to the Internet of Things. As a manufacturer of IoT devices and providers of M2M connectivity to many thousands of different devices, Eseye have a number of top tips on how to secure and protect your IoT device from cyber-attacks.
As was said in a previous blog, on security and authentication, no matter how much time and money is invested in IoT security there will always be vulnerabilities. However these risks can be managed by the use of simple yet effective multi-layer security paradigm for your IoT/ M2M devices.
Unfortunately, but I hope understandably there is no trade secret, no magic line of code or secret protocol that can prevent all vulnerabilities. There are many companies that have security based products that can help but hard work, partnering with trusted and reputably suppliers and thorough testing, are all necessary when protecting a device. Similarly, you should never assume your thing is of no interest to hackers. Individually the thing or its data may not be, but as part of a distributed system almost all devices become very useful.
If you limit the number of connections to your thing, you will have less security to build and maintain. When deciding how to connect your device, the function should be balanced against the threat of opening pathways to people with undesirable intentions. When securing the connectivity of your IoT/ M2M device consider limiting your device to a single secure, encrypted and certified connection to a trusted service endpoint.
Some good news is that while you will still need to consider how to distribute and manage the security keys to your device and how to change the trusted endpoint, these can all be resolved and should not become a barrier to the primary protection of your device.
Potentially the easiest way of simplifying and limiting your devices exposure to the internet is through the use of NAT (network address translation). NAT has the advantage of hiding the real address information of your device, dynamically allocating a new port and potentially address each time it opens a connection to the internet. While NAT limits exposure to both your own interactions and importantly others accessing your device from the internet it offers little direct protection from attacks originated from compromised device on the private side of the network. Securing device to device communications behind the NAT will help protect compromised devices from infecting neighbouring devices.
Even if your network does provide internal protection it’s still safer to assume that devices may go rogue and therefore all potential connections to your device should be vetted. A fully fledged stateful inspection firewall may not be possible on a low power IoT device but through the use of whitelist and access rules paired with network based firewalls you can build in appropriate security. By assuming the worst from all connections, identifying and verifying the trust relationship between your device and its associated IoT service layers your device’s security will improve.
It is imperative that devices are able to detect physical tampering and act appropriately, from attempts to open devices through to manipulating the clock these physical security concerns can vary. Solutions can be simple to implement and range between; erasing confidential information and to sending an error report and acting on the issue remotely.
Set up your device to have intrusion detection, to pick up on attempts to enter your device. It may be useful to detect and report virus or other compromises on a device after the event in order to improve the robustness of solutions overall and allow you to lock down your device and prevent it infecting others. It is even better to actively block the untrusted connections that are knocking on the door of your device, adding monitoring and reporting improves awareness and robustness. Basic intrusion detection services are necessary for remotely deployed devices, the more your device can protect itself the less of a strain it will place upon your support engineers and other devices in the network.
Even the most carefully and diligently designed device will still develop bugs and small issues, it is crucial that these are fixed, tested and deployed as quickly as possible. The smallest bug in the externally facing components of your device has the potential to open all your devices up to a multitude of issues. By having a robust, efficient bug fixing and firmware updating process the length of time that any vulnerabilities are accessible will be kept to a minimum.
Companies that excel at securing their devices use a prevention techniques. By tracking the latest techniques that are being used to infect devices, companies can work towards solutions before their devices are ever affected. There are enough IoT/ M2M security failings to learn from already, don’t allow your company to make another.
Continuing our drive to simplify IoT solutions for AWS, and tying in with AWS re:Invent later in November, we have...
Eseye, a leading global cellular internet connectivity provider for the Internet of Things (IoT) devices, and MikroElektronika, a producer and...