The Internet of Things is here to stay. It is estimated that there are approximately eight billion IoT devices connected to the internet and this number is set to continue to grow at an alarming rate.
I regularly find myself in discussions with people who want to know "how to secure IoT", which invariably leads to an interesting discussion about just what makes up the Internet of Things. But whether it’s a coffee machine or a doorbell that is connected to your phone, at the end of the day it is a network-connected computer and should be treated as such.
Applying the same rules to IoT devices that you use with any other connected device will usually result in a considerable reduction in the risk they present to you and your networks. None of the following controls are anything particularly complex, in fact, most require very little effort to implement.
Maintain a register of devices
In an ideal world, this should already be something that every business does; all devices connected to the network should be logged and, where possible, assessed to determine the level of access they should have. A proper understanding of which devices are connected to your network is a prerequisite for proper security, and any new or unknown devices should trigger an alert.
Create a separate network
Most businesses generally already provide separate networks for guest devices where access to sensitive resources is restricted, and this should be extended to cover IoT devices. Whether given their own network or added to an untrusted guest network, their access to other resources should be restricted to those explicitly needed for them to function.
Patch where possible
Ideally, all devices should be kept up to date and all available patches applied. This is particularly important for IoT devices given their uncanny ability to be installed and promptly forgotten. Vendors will regularly release updates, and you should periodically check each device manufacturer’s website for updates or security bulletins. Where possible, automatic updates should be enabled on your devices, and if there are known vulnerabilities and no patch available, or if the device is not capable of being patched, you should seriously consider whether the benefits outweigh the risks of keeping the device online.
Change default passwords
The majority of IoT devices have exceptionally weak passwords set by default, and while it's tempting to point the finger at vendors, ensuring a sufficiently secure password is our responsibility too. We take great care to ensure strong, unique passwords are set on all our other devices and this should be no different when looking at IoT. The Mirai botnet at its peak was made up of 2.5 million IoT devices, which were accessed using just 60 passwords. The best advice here is much the same as for passwords everywhere, use a password manager and make sure all devices have a unique password.
Keep track of your data
Many IoT devices rely on cloud services to function. However, the fact that they are always connected and sending data outside of your network presents two obvious issues. If the network goes down, they will be unable to function, but more concerning is the possibility that sensitive data could be making its way out of your network without your knowledge. Make sure you have read the privacy policy associated with your device, especially around data retention, usage, and encryption.
Fortunately, vendors do appear to be taking notice and things are slowly improving. A voluntary Code of Practice has also been released by the Department for Digital, Culture, Media and Sport, in conjunction with the NCSC. This Code of Practice contains thirteen outcome-focused guidelines, which outline what is widely considered good practise in IoT security. This also makes a useful checklist when considering which IoT devices are safe to allow access to your network.
Until IoT devices mature and security becomes a proper focus for vendors, the best advice remains to remember that while they may be "IoT devices", in reality, all that means is they are simply tiny computers and they should be secured and monitored just like any other device connected to your networks.
To discover more about securing your IoT devices, you can find white papers, webcasts and blogs in the Resources section of the SANS website.
Written by Simon McNamee
Security Researcher SANS Institute
Recently published in NME magazine, CT magazine
