Breaking News
Blog

5 Software Tips for Securing IoT Devices

View Comments: Newest First | Oldest First | Threaded View
Page 1 / 3   >   >>
Caleb Kraft
User Rank
Blogger
great points
Caleb Kraft   11/21/2013 4:49:02 PM
NO RATINGS
Great points all around. I'd love to see this revisited in 2 years to see what is at the top of the list then!

LarryM99
User Rank
CEO
Special attention to video
LarryM99   11/19/2013 7:54:10 PM
NO RATINGS
Very good article. One thing that I would add, though, is the need to particularly lock down video feeds. This is an item that many people add to increase security but neglect to adequately lock down. Not only does that make it handy for an intruder to surveil the premises, but it can also provide a convenient open window. Peeping toms no longer have to hide in the bushes outside of a physical window.

LarryM99
User Rank
CEO
Re: How about gateways?
LarryM99   11/19/2013 7:47:20 PM
NO RATINGS
I recently upgraded my home router, and I was impressed by how locked down the new one was by default. They randomized the SSID, closed down any inbound connections by default, turned off ping response, provided a unique default password, and a number of other enhancements. It is still quite possible to override these settings, but a user that doesn't do that will be much safer by default with new equipment like this.

Charles.Desassure
User Rank
Manager
Come on...
Charles.Desassure   11/19/2013 1:33:42 PM
NO RATINGS
Thanks for the wonderful recommendations and suggestions.  It is not the IoT that is the problem.  The weakest link in Information security is people.  As long as the average person do not know the meaning of "outbound"; or how about "HTTPS and SSL"; and what about "backdoor."  Come on...Once again, wonderful suggestions.

chanj0
User Rank
Manager
Re: How about gateways?
chanj0   11/19/2013 12:59:36 PM
NO RATINGS
Your home network gateway plays an important role to the security of your home network as well. Typically, my gateway doesn't listen to any port in the extenal network. If it does, I only allow connection from a specific IP address, e.g. my office gateway address. 5 tips in this article are very good. I am sure there will be more tips and in some IoT application, some tips may be found difficult to apply. Nonetheless, this article is a good starting point to develop a complete list. Security is no doubt the main concern in IoT. The sooner the list is nailed down, the better security we will earn.

Caleb Kraft
User Rank
Blogger
Re: How about remote commands?
Caleb Kraft   11/19/2013 12:53:16 PM
NO RATINGS
true, and unfortunately so much security is only advanced due to the research that malicious people do. it is very hard to predict the weak points far down the road.

Caleb Kraft
User Rank
Blogger
Re: How about gateways?
Caleb Kraft   11/19/2013 12:52:19 PM
NO RATINGS
If you're referring to most routers in public or in your homes, this shouldn't really be an issue. IoT devices should work just like a PC, phone, tablet etc. It should ask for an IP via dhcp just like everything else.

RichQ
User Rank
CEO
Re: How about remote commands?
RichQ   11/19/2013 12:09:25 PM
NO RATINGS
Thanks for the additional information and the link, Howdy. It helps clarify some things for me.

howdypierce
User Rank
Rookie
Re: Howdy, Howdy
howdypierce   11/19/2013 10:03:52 AM
NO RATINGS
Cuno--

Thank you for your comments.

SSL and the related protocols are definitely a pain in the rear ... a comment that applies to security generally :)

However, at least for Wi-Fi-based products, the computational overhead of SSL is basically something you're paying for already. For instance, if your silicon is capable of joining a WPA2 network, it's capable of AES encryption. We are seeing components from several major vendors targeted at exactly this application, and they've normally got SSL, HTTPS, and so on built in at relatively decent prices, at least in volume.

If instead you are talking about Zigbee and the other 802.15.4 protocols, then yes, those chips don't normally offer SSL support (at least as far as I'm aware).  But in this case, you're typically not talking about using IP on the device; instead, the gateway between 802.15.4 and IP would translate between the non-IP protocol and the IP backhaul to the cloud, and that's the point at which you'd apply SSL.  (As I said in another comment, though, I'd want to think hard about the security of this configuration more generally.  I'm not sure I'd trust, for instance, a Zigbee-based lock on my front door.)

howdypierce
User Rank
Rookie
Re: How about remote commands?
howdypierce   11/19/2013 9:53:04 AM
NO RATINGS
Rich,

Thanks for the really good comments.  

Regarding the role of the gateway between the IP-based network and the 802.15.4 protocols (of which Zigbee is but one example) -- there are a whole host of issues here and probably deserving of an entire blog post. (To address Bert's comment: This configuration is common because of the very low power requirements of 802.15.4. Unfortunately, typically the IP communcations are terminated at the gateway instead of being carried all the way to the device.)  Specifically regarding the security of this configuration, I think there are likely to be vulnerabilities there, at least if you assume that attackers can get reasonably close to your 802.15.4 network.  Definitely something to worry about.

Regarding how you engineer things to statisfy my "outbound connections only" rule, I have another blog post addressing that: http://www.cardinalpeak.com/blog/?p=1791

Page 1 / 3   >   >>
Most Recent Comments
Flash Poll
Radio
LATEST ARCHIVED BROADCAST
EE Times editor Junko Yoshida grills two executives --Rick Walker, senior product marketing manager for IoT and home automation for CSR, and Jim Reich, CTO and co-founder at Palatehome.
Like Us on Facebook

Datasheets.com Parts Search

185 million searchable parts
(please enter a part number or hit search to begin)
EE Times on Twitter
EE Times Twitter Feed
Top Comments of the Week