Your business may be all 'IoT', but is it secure?

Equifax

The Internet of Things ('IoT', as we're sure you know IT) has amazing potential for your business. It's all about collecting, sharing and interacting with data in innovative ways.

Data is increasingly being referred to as the 'new oil'; the fuel in our engines that, when used appropriately, will drive us further and faster than we could only imagine a few years ago. With so much to get excited about, it's easy to adopt something without considering the risks.  

It's generally accepted that you should assess the security of your new website before it goes live on the Internet. Or that you should seek third party verification when changes to your IT infrastructure are rolled out (and you do those things, right?).

Would you consider doing the same when you're adding a new coffee machine to your breakout area? So-called smart coffee machines, with their own purchasing power, are being trialed. Customers identify themselves with smartphones, and gain discounts if they are willing to conduct basic maintenance such as topping up beans or milk supplies.

The device invests revenue from selling coffee into ordering supplies. Over time it squirrels away enough money to replace itself at the end of its life expectancy. How thoughtful of it!

IoT exploits

A review of IoT security stories in 2017 uncovered common exploit issues time and again. In fact it's rare for a week to go by without some new connected device story hitting the media.

A recent example is the Blueborn attack. It's a recent vulnerability found in the implementation of Bluetooth across multiple vendors, where an attacker could infect any unpatched device with Bluetooth turned on. The compromised device would spread the infection as it came in range of any other vulnerable device.

Sure, this requires the attacker to get close to the first device; e.g. standing near the front door of your office and exploiting anyone’s phone as they walk by. Far from implausible, the day is coming when our interconnected devices are going to seriously impact the running of a business.

You wouldn't fail to protect your business from online threats, so why leave yourself exposed via IoT devices? Here are some of the main things you need to consider, and what you need to evaluate in order to improve the security of these devices.

How do you secure your IoT device

Frst of all, we advise our clients to question whether the device actually NEEDS to be connected to the internet, or if it really needs to talk to other devices. If it does, the following tips will help to improve your IoT cybersecurity:

1. Don't connect unnecessary devices to your network

For example, the smart coffee machine mentioned above will need to order supplies online. It will not need to access your databases and network file shares. Reduce the risks by not connecting the device to your corporate network. Configure a network which can only reach the Internet and enable host segregation where possible (so that one device cannot talk to another).

Often the security of a network is only as good as the weakest node. Reduce risks by using appropriate segregation.

2. Check if it's web facing (greater risk than internal network only)

If the device needs to present a service directly on the Internet (such as a remote administration interface), then it's at increased risk of attack. Anyone with an Internet connection will be able to target it, and so you must be certain of its level of security. Most administration interfaces in IoT devices have not undergone robust security analysis and pose a genuine danger.

The advice here is:

  • It is better to provide a VPN to enable remote access. This can have robust authentication including 2FA or digital certificates, which is often not the case in IoT administration interfaces.
  • If a VPN is impractical, use firewall rules to limit the visibility of the service to specific source addresses. Limiting who can see it reduces the pool of attackers.

3. Ensure password security

A substantial proportion of IoT security breaches have come from insecure password practices. Most devices will have a default password. Attackers scour the Internet looking for user manuals and add new default passwords into their wordlists. They love nothing more than a password which is true for every device that comes out of the box.

Find the user manual for your device before buying it, and look for how to change the password. Or try contacting the vendor for pre-sales support. If it is incapable of doing so then you may have found a device that has insecurities.

Most IoT devices are incapable of implementing technical password policy controls such as complexity requirements, account lockouts, or expiry settings. In this space your staff will have to select passwords meeting your complexity requirements.

When you first enable the device, generate a random password and store that centrally for safe keeping. Be sure to then create a rolling calendar reminder for IT support to alter the password manually if the device cannot do this itself.

4. Check if it has the ability to update firmware/install patches

Even the most robust devices will eventually have some insecurity or functionality bug. The natural solution to this is for the vendor to provide an update. If your device has no way to update itself then it may become obsolete due to security flaws. This could cost your business big because of a design flaw.

Again, the best source of information for this before purchasing it is to check the user manual online. Or to contact the vendor.

5. Disable Unnecessary Features

Most vendors strive to add features to their device, and many will turn them all on out-of-the-box. Each feature is something that can be attacked. For each IoT device you install, the best practice would be to disable as many features as possible. Review the need for everything and disable what is not required.

Doing this will reduce the so-called attack surface. Even if a vulnerability is found in a device you're running, it may be immune to that attack if you have already disabled the feature which is being exploited.