Level 3 Communications

Jon Alexander

8 Best Practices for Security Within the Internet of Things

The term the Internet of Things (IoT) was coined as early as 1999, but as a technology trend, IoT really started to gain steam starting in 2008, when the number of devices connected to the internet exceeded the number of people. Arguably accelerated by the launch of the iPhone, by 2010 the number of connected devices had reached 12.5 billion,* a number driven in large part by the explosive growth in smartphones and tablet PCs. Predictions are there will be anywhere between 28 billion to more than 50 billion connected devices by 2020 by 2020. Even on the low end, the numbers are impressive, to say the least.

The most familiar side of IoT includes our personal devices: smartphones, tablets, PCs, games consoles, TVs and other entertainment devices. Whether we are at home, in a coffee shop, on a train or a plane, we are lost without the ability to connect to the internet to access our preferred content.

This first class of IoT devices can be classified as “consumer”, with “enterprise” as a second category.  Bill Ruh, CEO of General Electric Digital, identified “industrial” as a third category. Ruh estimates the “industrial app economy” will be worth $225 billion by 2020. GE is already building in sensors onto gas turbines, jet engines and other machines, connecting them to the cloud, and analyzing the resulting flow of data.

These connected sensors promise vast opportunities in improved utilities, energy-savings, efficiencies, safety and customer experience, as enterprises and industry tap into the massive amount of data they generate.

As far back as 2010, Sparked, a Dutch startup, implanted wireless sensors in the ears of cattle to allow farmers to track their movements, eating habits and notify the farmer if a cow is sick or pregnant.  Each tagged cow generates 200MB of data per year. With approximately 1.5 billion cows on the planet, if every cow had a sensor, the results would be 300 petabytes of data per year, or 100 times the amount of all audio, video and digital materials held in the Library of Congress.

Setting aside the potential “bovine effect,” the benefits, changes and challenges IoT offers are starting to manifest. Consider the sheer number of devices that need to be connected—and the data traffic associated with them. From self-driving cars and wearable exercise monitors to mobile healthcare and smart grid management, the term “Big Data”, and all that it denotes, is being redefined.

The implications for bandwidth and storage demand are obvious. And this explosion in the number of connected devices and the amount of data they produce also brings a new set of risks and security threats. Security researchers have found several common vulnerabilities in IoT devices that would be unthinkable for traditional “smart devices” such as tablets or phones, including unencrypted communications, weak authentication (e.g. username admin, password admin) and unnecessary services such as telnet exposed to the internet.

In March 2015, Shodan published research showing the most popular services on the internet.  Telnet remains the sixth most popular service exposed to the internet, with FTP at number 10.  There are multiple security problems with both of these protocols that include lack of encryption, weak authentication, no server authentication and absence of data integrity. Even where stronger protocols like SSH are used, Shodan identified issues where the same SSH key is being reused across thousands of devices, often with an older version of OpenSSH with multiple known vulnerabilities.

SHodan graph

                                                                                                                     Source: Shodan, March 2015

With this in mind, we want to share these eight best practices on security for IoT:

  1. Deploy security gateways: The ability to inspect, audit and control the communications into and out of your network is essential as the number, variety and complexity of connected devices increases.
  2. Use strong authentication: Many consumer devices still ship with weak default passwords (admin/admin) which many users don’t update. Manufacturers should require updating with strong passwords before a device can be used. In the industrial world where usernames and passwords are not feasible (or desired) for every device, an alternative mechanism to establish identity and trust is required, such as blockchain—especially as we enable more machine to machine (M2M) communication.
  3. Disable non-essential services: Many devices are being shipped with telnet, FTP and other high risk services exposed to the internet.
  4. Use secure protocols: Protocols such as HTTPS and SSH are designed to support encryption, and strong authentication.
  5. Check data integrity: The internet is an unreliable communications medium and while protocols like TCP attempt to introduce reliability, data transfers can be interrupted or corrupted, notwithstanding malicious attempts to hijack communications. For critical communications—in addition to authentication and encryption—we recommend providing a checksum or signature to allow the integrity of the data to be verified.
  6. Plan for continuous upgrades: Critical vulnerabilities like Shellshock and Heartbleed continue to be found at the heart of internet connected devices. It is essential to plan for future upgrades to device software. These updates will increasingly happen over the air and may need to be performed rapidly depending upon the criticality of the update.
  7. Ensure internet-managed and IoT management hubs and services are secure: If you choose to use a hub or service that allows management of multiple IoT devices, be aware these services can be a central access point to compromise all of your devices. Look for robust, built-in security capabilities that will easily integrate into existing systems. Same goes for internet managed IoT devices; remember, the weak point for these devices is how you can connect to them from the internet.
  8. Vary/regularly change your password: This seems like a given these days, but it bears repeating. Make sure you do not use the same password for all of your IoT devices and try not to use your “primary” email address as your IoT username. It’s a common tactic for bad actors to try to phish your email account to try to get your password. Also, regularly change your password – every 90 days at a minimum.

A content delivery network (CDN) can also help secure the internet of things as part of a layered security approach. Cisco predicts CDNs will carry 64% of all internet traffic by 2020. Whilst CDNs are most often associated with video, IoT is an increasingly common use case. Look for a globally deployed CDN with proven high performance and reliable downloads over HTTP to get critical updates out to connected devices quickly. Also make sure the CDN provides strong TLS encryption and can integrate into almost any authentication schema.

*Cisco IBSG, “The Internet of Things: How the Next Evolution of the Internet Is Changing Everything”, April 2011

Find out how Level 3 can help you meet the demands of IoT.