Best Practices to Design and Build Secure IoT Solutions

The Internet of Things (IoT) can be classified as a network of connectivity with machine-to-machine communication. In other words, it’s how devices can connect to the internet and communicate with each other. As we’ve seen in recent years with the explosive growth of “smart” devices like smartphones, smart speakers and smart appliances that can all connect with each other, IoT is going nowhere as AI in trends. In fact, from two billion objects in 2006, to a projected 200 billion by 2020, coupled with a total global worth as high as $6.2 trillion by 2025, it’s clear that IoT will see even more growth.

The Importance of Designing and Implementing Secure IoT Applications

The incredible proliferation of IoT solutions that use network sensors in physical devices to allow for remote monitoring and control makes the need for security in IoT devices clear. For instance, this technology has gained a lot of traction in industries like healthcare, banking and manufacturing because it gives them vital data needed to save lives, increase efficiency and manage machines. But, when hacked, the resulting consequences can be compounded to mean downed networks and crippled infrastructures.

Unfortunately, the problem is that the same features that characterize IoT devices—their interconnectivity—also leads to their vulnerability. For example, think of a hall of doors; a hall of locked doors. In this hall, no one door can be opened from the outside, but once inside, any door can be unlocked. If a thief were to somehow find their way inside this particular hall, maybe because someone left a door ajar, they would then have access to every other door in that hall. Now exchange that hall for a network, and each door with an IoT device. Because a network with IoT-enabled devices can include millions of connections, each of those connections can be the metaphorical door that’s been left ajar. In other words, security risks exponentially increase with interconnected IoT devices; attack one and you attack all.

IoT Security Design Failures

Part of understanding the importance of designing and implementing secure IoT applications is knowing what happens when an IoT solution is not as secure as previously thought. As the following two examples will show you, everyone is susceptible to vulnerabilities, even the big brands spending millions to develop them:

The Jeep Hack

In July of 2015, a team of researchers hacked a Jeep Cherokee over the Sprint cellular network by exploiting a firmware update vulnerability. As the person inside the car wrote for Wired, “[t]hough I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass. As I tried to cope with all this, a picture of the two hackers performing these stunts appeared on the car’s digital display.”

St. Jude’s Hackable Cardiac Devices

As CNN’s headline from a 2017 article read, “It’s official: Hearts can be hacked.” In it, CNN confirmed that “[t]he vulnerability [in implantable cardiac devices like pacemakers and defibrillators] occurred in the transmitter that reads the device’s data and remotely shares it with physicians.” In the FDA’s own report of the devices, they said that by accessing its transmitter, hackers could “modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.”

How to Design and Build Secure IoT Solutions

Not it’s time to learn some best practices from Hewlett Packard Enterprise (HPE), one of the top IT companies in the world, to design and build secure IoT solutions so you can turn knowledge into practice.

1. Secure and centralize the access logs of IoT devices: Centralized access logs equate to always knowing who’s attached to a network and knowing who’s logging into what, when and for how long. As one of the first lines of defense for IoT devices, you should always prevent devices from connecting to your network without your knowledge.
2. Use encrypted protocols to secure communications: Very few IoT devices use encrypted communications as part of their initial configuration, and instead use ordinary web protocols that communicate across the Internet in plain text, which makes them more vulnerable to hacking. As a minimum, web devices for these devices should be using HTTPS, transport layer security (TLS), Secure File Transfer Protocol (SFTP), DNS security extensions, and other secure protocols for communications across the internet.
3. Create more effective and secure password policies: Default passwords are usually changed when a device is first accessed. Unfortunately, not only do most devices lack strong IoT authentication solutions and access methods, but the concept of using multi-factor authentication is also a rarity in the IoT world. To curb this, default passwords should be strong and unique, and single sign-on tools to manage and limit access should be used.
4. Implement restrictive network communications policies: Many IoT devices have permissive communication as part of their design, meaning that they can communicate with anyone and any device by default. Unfortunately, permissiveness makes these devices inherently insecure and vulnerable to hackers. Restrictive network communications like built-in firewall rules, on the other hand, offer more security.

Final Thoughts

IoT solutions present such a novel and useful way of interacting with your home and the devices in it that it can be easy to forget that, with them, come added vulnerabilities that need to be accounted for. Thankfully, today we learned that there are a couple of IoT security design best practices brands can follow to limit such vulnerabilities and implement secure solutions:

1. Secure and centralize the access logs of IoT devices
2. Use encrypted protocols to secure communications
3. Create more effective and secure password policies
4. Implement restrictive network communications policies, and set up virtual LANs

For you and myself, the consumers, there are also a couple of things we can do to add an extra layer of security. For example:

1. Name you router: Using a router manufacturer’s name might identify its make and model, which makes it easier for hackers to find a way in. Instead, give it name that doesn’t use any personal identifiers.
2. Set up a guest network: Keeping your network private while setting up a separate, guest network for others will allow you to create a barrier between your IoT devices and those with untoward motives.
3. Use strong encryption methods: Set up strong encryption methods within your router settings to make your connection even more secure.
4. Use strong and unique passwords: If you’re going the extra mile to secure your IoT devices, it doesn’t make sense to leave the metaphorical door cracked with a common password like password or 1234. Instead, use a unique and complex password made up of letters (uppercase and lowercase), numbers and symbols.
5. Keep all softwares up-to-date: Whenever a manufacturer releases a software update, it’s likely to contain security patches for any vulnerabilities they may have found since the previous update. Knowing this, make sure to always keep your devices up-to-date with the latest software to keep them that much more secure.
6. Be wary of public WiFi networks: Even though free WiFi networks sound enticing, they may be used by hackers to steal your information. For instance, the same feature that make them free for the public—that no authentication to establish a connection is required—also makes them easy for hackers to hijack and position themselves between you and the connection point.