IoT devices introduce 32.7% of all the infections in the mobile networks, Nokia stated. This number in 2020 was double than the previous year.
The report discusses the impending rise in security issues in 2020. These alarming numbers have compelled the governments to introduce IoT security standards to take care of your consumer products and components.
Here is another graph that shows the rise in mobile malware, with the increase in mobile usage and IoT devices getting common over the years in the past decade.
Which Attacks and Vulnerabilities Rocked the IoT World Recently?
Forescout research team discovered Amnesia:33—vulnerabilities in 4 open-source protocol stacks. These vulnerabilities would have caused Denial of Service (DoS), remote code execution, memory tampering, and data leakage. These could have impacted various functional areas like medical units, power grids, industries, and supply chains.
Another vulnerability named BLESA pushes two devices to reconnect without performing any authentication. This issue impacts Bluetooth low energy devices (BLE). Adversaries can impersonate as a BLE and take advantage. This issue was found to be affecting the Linux Bluetooth stack, Android, and iOS.
IoT security vulnerabilities don’t spare you even if you are a Tesla. One of the models and its key fob had a loophole that impacted the firmware in the key fob. The hacker could permeate into the firmware. And within 90 seconds, the car model was broken into.
Many such vulnerabilities loom over your IoT devices, making your users susceptible to data theft and irreparable loss. But chances of 2021 and years ahead of being safer for IoT devices are higher than ever.
Governments worldwide are working on their guidelines to make the IoT space safe heaven for the users and manufacturers like you.
Let’s brief you about the various governments’ recent declarations in this regard.
Various Government Regulations to Implement IoT Security Standards
If you are planning to launch your IoT product in 2021, you should closely follow your state or country’s guidelines.
NIST generated guidelines for secured IoT transactions last year. Then, earlier in December 2020, the US government signed the Internet of Things Cybersecurity Improvement Act of 2020. This act is likely to impact the consumer IoT vertical heavily.
Similarly, in January last year, the UK government clearly conveyed its interest in strong consumer IoT products’ security. ETSI defined an extensive set of IoT security protocols to complement the government’s initiative.
Here is a crux of the epic guidelines that you should follow before launching your IoT product successfully in 2021 to
win your consumers’ appreciation.
What IoT Security Standards You Should Follow in 2021?
When IoT device comes under consideration, the most important responsibility lies with the manufacturers. You can mitigate a software glitch by pushing a hotfix or workaround. But when hardware malfunctions due to security, the complete communication system, and your users’ data are at stake.
In line with the various governments’ guidelines, these are some of the major security guidelines in IoT devices you might see going full-fledged in 2021.
No Default Password
A password is like the key to your home. Once copied or stolen, your home is not in safe hands.
Similarly, your IoT device password should neither be weak nor be left at the default value. These ignored aspects offer your devices on a platter to the hackers for easy cracking.
You, as a manufacturer, should ideally enforce proper access control mechanisms. You should impose changing the default passwords with a defined password recovery and reset policy. You must enable password expiry to implement periodical changes.
For enhanced security, deploy multifactor authentication (MFA). Biometric passwords such as voice control, fingerprint, and face scan should be changeable. Limit the failed attempts and delay further trials to an IoT device to avoid denial of service (DoS) and resource exhaustion.
Vulnerabilities in an IoT device are unavoidable. For instance, a botnet can meddle with a compromised device to make it participate in DDoS (distributed denial of service).
90.3% of consumer IoT product companies are ignorant about vulnerabilities disclosure. Unclear and undisclosed vulnerabilities pose a grave difficulty to the security researchers who alarm the organizations about the prevailing issues.
You should disclose the vulnerabilities in your products to make users and security researchers aware. Your users can respond to them if they are well aware of communication policies.
Your vulnerability disclosure policy should be public and clearly specify the process of reaching out to you. These policies create a smooth avenue for the security researchers to reach out to you and keep you ahead of malicious threats.
As a manufacturer, you should provide contact details and an easily approachable channel to report an issue. Acknowledge the initial receipt of any complaint and update status promptly until resolution. You should enact swiftly based on the gravity of the problem.
Conduct penetration tests and vulnerability assessments periodically to identify vulnerabilities as early as possible.
You can expect strict policies to play in terms of software upgrades in 2021.
To protect the customers and devices from nefarious malfunctioning, you must deploy the updates periodically. An older version of the software is always susceptible to hacking due to incompatibilities with the complete ecosystem.
Periodical, automatic, and secured updates would be of utmost importance with an anti-rollback policy to prevent a downgrade attack. Your users should be able to apply the updates easily with an option to defer for a later period.
The device in 2021 would see more robust policies to upgrade securely post their initialization. You have to ensure that the onus of verifying the upgrade’s authenticity and integrity lies on the device. This would make the upgrades automatic and timely.
You should explain the end of the support period of an IoT device at the time of purchase.
An IoT device deals with cryptographic keys and parameters for security. These parameters should be securely stored. Any hardcoded parameter should resist any form of tampering. However, any hardcoded critical security parameter poses a threat.
In the case of the same products, every device should have a separate and unique key. The keys that determine integrity while updates should be unique.
An IoT device communicates with multiple other devices and servers in its ecosystem. So, you should provide the best cryptography process for communications.
2021 would lead to better cryptography policies according to the mandates of the NIST regulations. One of them would be cryptographic algorithms’ timely and automatic updates. If this doesn’t happen, you as a manufacturer should warn customers about the usage lifetime exceeding beyond intended.
Devices operating in the public network can be expected to see more secure communication. Any device that allows security configuration changes would be accessible only upon authentication.
Heightened security and encryption should happen for the devices during transit in their supply chain. Apart from keys security, confidentiality in QR codes and OTPs would be paramount during communication.
Exposed Attack Surface
According to the new regulations, the strict Principle of Least Privilege would enhance the security at the exposed surfaces and avoid any obvious threats.
You should limit the direct firmware update only to the developmental phase and block it in devices deployed already. All not-desirable and unused logical and physical interfaces should be disabled.
You should protect critical security information disclosure during or immediately after the initialization process unless authenticated. And the device hardware should be protected from exposing physical surfaces. You shouldn’t reveal any debugging interface via software. These options provide an easy entry point to hackers.
Another critical factor to keep in mind is: you should pave a way to access the memory through hardware.
Your IoT device should have a provision to verify the software using secure methods like the hardware root of trust, which is central to deriving the trust. All your physical and logical components derive their confidence from this epicenter.
Any unauthorized change in your IoT product’s software should alert the user. For issues that are beyond a user’s capability to tackle, an admin should receive an alert. For example, an admin can revert the device to the last known good state. Such a function might not be in a user’s purview. This revert can also avoid denial of service conditionally and multiple rounds of maintenance calls.
Privacy of Personal Data
Your device’s cryptography should protect the users’ privacy and personal data transmitting to and fro in the IoT ecosystem. The same goes with sensitive personal information—data that is highly susceptible to tampering, causing threats to money and life, etc.—but with a heightened level.
Apart from confidentiality, the integrity of your users’ data is a vital need. Apart from safeguarding users’ data, you should also convey how, why, and by whom the information is being used.
To test these standards, you should perform an impact assessment on security and data protection.
You should convey information and impact about the external sensing capabilities of your IoT device to the users. An example of such a sensor is an optical or acoustic sensor.
Outages in your IoT product can bring about life-threatening situations. It can cause your users’ significant financial losses. So, your device should be capable of handling outages smoothly. Even better if an IoT device is resilient to outages.
The resilience should also take care of the network and power outages. In case of a network glitch, the device should keep functioning locally. With an interrupted power supply, the device should resume operating in the normal state.
In case of pushing an update, you should notify the devices in batches to avoid any outage due to simultaneous downloads. During a mass failure for whatsoever reason, your device should be resilient to a distributed denial of service (DDoS).
Stats about device usage, performance management, and service measurement are telemetry data. This metadata is crucial to be monitored continuously. Analyzing these stats is essential for better services and measuring performance.
Any anomaly can be a significant pointer to malfunctioning or malpractice. Multiple failed login attempts, for instance, is a cue of a break-in.
You can also check software upgrades status with telemetry data. Logs help you to analyze integrity and security. Such data also hints you in advance about upcoming IoT security risks and gives you the legroom to deal with timely.
Want to amp up your IoT security knowledge? Read the series of our masterclass here.
Users’ Control Over Their Data
Your users should have complete authority over their data in your IoT products. You should give them the privilege to delete their personal data and content related to credentials, logins, and configuration. This sanitization would help them maintaining security regulations for a discarded, broken, or out of cycle device.
If you don’t give clear instructions for the same, your users would need to do multiple rounds of customer care calls. So, make it transparent and straightforward in your guidelines or user manuals. Keep them updated about the status of data deletion.
Device Installation and Maintenance
Installation and maintenance of an IoT device might sound like a challenge for a naïve user. As a manufacturer, it’s your onus to make it simple.
The instruction manual and guides should be easy to ingest. Make decisions for the users quick and straightforward. Provide them with default options in the setup wizard and leave hints on the UI.
A confirmation about successful setup or update completion would help your users to remain assured of the right functioning. Clear guidelines and UI can keep the misconfiguration limited.
Your devices should have a clear process of validating the data coming from various sources. Malicious data, wrong formats, and undesirable codes can bring down the device or the complete system.
You should log those out-of-range inputs in the telemetry that are beyond processing. Use tools and techniques to find and analyze the gaps that act as entry points for hackers.
There is little an end-user can do to secure the devices they use and connect with apps on their smart devices. But as a manufacturer, the primary responsibility lies on your shoulder.
If you are aiming to introduce a new IoT device or service in 2021 or the near future, follow the IoT security standards we have shared. These guidelines will help you remain assured of heightened security and happy customers.
In case you have challenges dealing with the security program your product needs, reach out to cybersecurity experts like Payatu, and reduce your worries.