IoT Security Best Practices: Passwords, Patches, and Portals
If you’ve ever created devices for military applications you’re probably used to designing with security in mind. If you’re more like me, and just build the odd Internet of Things (IoT) doodad, that’s probably the last thing on your mind. However, recent cyber attacks are highlighting why engineers like us should be a little more concerned with security. These design best practices will show you how you can safeguard your systems.
Why Secure the IoT?
On the face of it, most IoT devices seem harmless. Now, though, even the most innocuous gadgets can become a weapon in the hands of a hacker. These malicious programmers can use malware to infect poorly secured devices and add them to massive botnets. Botnets are then used to perform distributed denial-of-service (DDoS) attacks, which can take down web services.
Hackers don’t need a sophisticated computer to perform a DDoS assault. They just need a device that connects to the Internet. Interestingly, IoT devices make up a huge portion of these botnets, because most have poor security. The Mirai botnet, which took down some DNS services in 2016, used thousands of Internet-connected cameras and DVRs. If you don’t want your inventions to end up as a soldier in some hacker’s computer army, you should implement a few safety measures.
No Hard-Coded Passwords
If you design embedded systems, you’ve probably used a hard-coded password before. Depending on your software architecture, putting passwords in read-only memory is sometimes the most straightforward choice. Unfortunately, it’s also dangerous.
In the realm of industrial IoT, many supervisory control and data acquisition (SCADA) systems have hard-coded passwords. This presents a huge risk, as these systems often control things like power plants and energy infrastructure. In fact, in 2010, hackers were able to attack one of Iran’s nuclear facilities because they knew some of the passwords that were hard-coded into the equipment. If you’re designing an IoT device for a critical system, like a power plant or a self-driving car, you need to let the user change the password. Otherwise, the results could be devastating—even deadly.
Even if you’re just designing light bulbs, you should still allow users to change passwords. Many of the IoT devices in the Mirai botnet had hard-coded passwords. Since these things are being made en masse, a hacker can take over thousands of devices simply because they know one password.
Even if you rigorously test your device in-house and think you have covered every base, vulnerabilities will be discovered in the field. If you can’t patch, update the code for your device over the air, or make patches available to users, your gizmo could be a sitting duck.
There’s currently no financial incentive to build your device so that it can be patched, though in the future there might be. The US Senate recently introduced legislation that gives designers guidelines on how to make our devices more secure. One of their requirements is that IoT systems be patchable. If we’re going to have to design for this in the future, we may as well do so now.
Use a Gateway
Up until now, many IoT devices were designed to connect directly to the Internet or to a user’s computer or phone. As the IoT grows, this method is untenable for multiple reasons, including complexity, increased processing, and—most importantly—poor security.
When thinking about cybersecurity and the IoT we need to consider the “attack surface.” In a large, low-power wide-area IoT network you may have thousands of devices or sensors connected. If they’re all connected directly to the internet, you will have an enormous attack surface, and a hacker could gain access to the network through any one of those devices. Using an IoT gateway can help you consolidate security and present a smaller target to potential intruders.
A gateway acts as a communication node for an IoT network or system. Usually, these will be able to connect to devices using a variety of standard protocols, like Bluetooth, and may have some onboard processing. Since most or all information is routed through the gateway to the Internet, it presents a smaller target than thousands of different devices. Then you can focus on securing a handful of portals instead of an army of sensors and other gadgets.
The Internet of Things will certainly be an amazing tool for societies around the world, but it is also becoming a dangerous weapon. Poor security features have allowed hackers to attack critical infrastructure and co-opt devices into massive botnets for online assaults. As a designer, you can help mitigate this threat by allowing users to change device passwords, making your products patchable, and integrating your devices with IoT gateways.
Admittedly, you have many things on your plate, and these fixes aren’t always easy to implement. That’s why you should think about using PCB design software like CircuitStudio® . It has a host of tools that were created to help you during design.
Have more questions about IoT security? Call an expert at Altium.