4 ways to minimize IoT cybersecurity risks
With close to 400k followers, the Twitter account named Internet of Shit is the epitome of the dire situation emerging as we stumble into a world of connected devices.
Governments around the world are waking up to a reality where the severity of vulnerable technologies grows with our increasing dependence on technology. While hackers enjoy everything from ransomware to stealing compute power for crypto currency mining, most of the world stands watching the experience like a horror movie in slow motion.
With some very basic steps, we can reduce the vulnerabilities of the world’s connected devices greatly. Unfortunately, the world of cybersecurity has become such a lucrative business that instead of focusing on the basic stuff, the industry pushes out a plethora of prevention technologies so advanced, that only the echelon of IT experts can understand the systems.
Make IoT more secure
Like many other places in life, it seems that the 80/20 rule also applies to cybersecurity. With 20% of the effort, one can achieve 80% of the protection needed. Here are four simple steps that will greatly improve the security of connected devices:
- All communication must be encrypted. Ensuring that all communication to and from the device, independent of protocol used, is encrypted prevents man-in-the-middle attacks and the ability to sniff out information. People can avoid potential devastating consequences of doing something unfortunate, like accidentally sending a password to the device in clear text.
- Never use a hard-coded username and password. If a connected device gets stolen or physically tampered with, it should not be possible for an attacker to login to the device. A reset of a device should not lead to a default username and password or make it possible for the device to rejoin a greater network without proper re-authentication.
- Scan all software for known vulnerabilities. It is estimated that more than 90% of all compromises are due to exploits of known vulnerabilities. As a producer of connected devices, it is critical that all software is frequently scanned against known vulnerabilities as defined in the Common Vulnerabilities and Exposures (CVE) database. All connected devices use third party libraries and software – including Linux and popular protocols — that hackers try to find holes in. If every one in 1000 lines of code contains a bug, that means hackers are and will be successful at finding new vulnerabilities. Doing a scan once before shipping a device does not suffice. Scanning must be an ongoing exercise. Preferably the scan happens on the device, but it is also possible to do a scan against an inventory database if the vendor has full control of all the software running on the device.
- Patch CVEs. The last basic cybersecurity measure is to ensure that when any connected device contains software with a CVE, these devices are patched as soon as possible.
Most CVEs are made public after the vendor of the affected software has developed a patch to the vulnerability. By doing frequent scanning and patching of CVEs, the chance of a compromise is reduced by ten times.
Basic cybersecurity hygiene will improve the security of connected devices with an order of magnitude in just a few steps. Avoid the temptation of buying into advanced cybersecurity tools that in reality only cover edge cases. Spend the time and efforts to implement basic hygiene procedures. If you do that, you are much less likely to end up on the Internet of Shit feed for the world to laugh at.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.