A little over a week ago, a distributed denial-of-service (DDoS) left a large segment of the American population unable to access popular websites and services, such as Amazon.com, Netflix, The New York Times, Playstation and Xbox networks, PayPal, and Visa. This incident should motivate companies to consider their IoT systems security, particularly the safety of their products.
The culprit wasn’t a handful of powerful computers with high-bandwidth connections to the web; rather, it was an estimated 100,000+ internet-connected devices that had been hijacked with malware sending a combined terabit of data every second at the DNS provider Dyn. Without a DNS provider, computers are unable to convert a URL, such as paypal.com, into an IP address that computers need to communicate.
If you’re developing devices that communicate via the Internet, a.k.a. Internet of Things (IoT) products or you’re considering development in the future, how do you ensure that somebody won’t use your product for nefarious purposes in the next internet attack? Although you cannot guarantee that your IoT systems security is 100% hack-proof, you can start by determining what you want to protect against. A good low bar to clear would be to address threats that:
- Prevent your device from performing the task it was designed for
- Take over your device and use it for other typically bad purposes
- Reveal company or customer data
To accomplish this, you should improve your IoT systems security by removing unnecessary ways to access it (e.g. physical connections or unused TCP & UDP ports) and by ensuring that updated code can only come from you (signed/verified updates). Also, secure the communication between the device and other parts of its ecosystem (other devices, smartphones, web services, etc).
Use communication protocols that encrypt the data and authenticate both ends of the communication with credentials (e.g. username/password), certificates (e.g. X.509), or other mechanisms. Avoid the temptation to devise your own encryption scheme, as it will likely be much weaker than standardized & tested options.
The Open Web Application Security Project (OWASP) provides a wealth of information to assist with the development of secure software, including Cheat Sheets for many tasks, including the development of IoT devices. SGW Designworks can also assist with the design, development, and auditing of devices that connect to the Internet.