This document summarizes guidelines for improving Internet of Things (IoT) security. It outlines 12 guidelines including securing credentials and sensitive data, keeping software updated, minimizing exposed attack surfaces, ensuring personal data is protected, monitoring system telemetry for anomalies, making it easy for users to delete personal data, and prioritizing usability in installation and maintenance. The guidelines are aimed at establishing basic security hygiene practices to help address issues like default passwords, lack of software updates, and exposed vulnerabilities that have allowed IoT botnets and data breaches in the past. Following the guidelines would help improve the overall security and privacy of IoT systems.

1. Internet of
Things
Security
09.11.2019
Cigdem Sengul

2. About me
Senior Researcher at New
Ventures at Nominet, the registry
for UK domain names
Specialise in computer networks
and currently on IoT access control,
and personal data protection.

3. 3
Internet of Things (IoT) promises a smarter future
Things Networks Data, Applications
Flood
monitoring
connect to , generate enabling new

4. 4
IoT needs to improve its
reputation
4
Not easy to use
Not secure
Not private
or interoperable

5. 5
Need to secure end-to-end
Things Networks Data, Applications
Flood
monitoring
connect to , generate enabling new
Things vary in
their capabilities
Various
communication
patterns and network
architectures
Multiple protocols
(proprietary or
standards)
Security
requirements are
diverse

6. Security Makes IoT a Market for Lemons?
Information Asymmetry Consumers have no
ability to differentiate between the safe and
dangerous devices.
Leads to a spiral effect of quality of goods in
a market degrading leaving only "lemons"
behind.
Negative Externalities mean the cost of a
poor product is suffered by a third party.
May lead to market failure necessitating
regulation.
6
Source: https://www.iotsecurityfoundation.org/market-for-lemons/

7. UK Code of Practice for Consumer IoT
SecurityVoluntary code of practice
In June 2019, DCMS ran a
consultation on mandatory
requirements to ensure
baseline IoT security
IoT security label
NOMINET IOT PRIVACY
7
Source: DCMS

8. 1. No default universal passwords
All IoT device passwords shall be
unique and not resettable to any
universal factory default value.
NOMINET IOT PRIVACY
8
Example of bad:
Mirai botnet launched a brute force attack,
trying commonly used administrative
passwords on IoT devices like surveillance
cameras, and DVR players.
Took over 600K devices = Unprecedented
DDoS power
Source: Cisco. Data from a honeypot, showing devices
are distributed all around the world.
https://umbrella.cisco.com/blog/2017/01/05/future-
assaulting-internet-mirai/

9. 2. Implement a
vulnerability
disclosure
policy
9
All companies shall provide a public
point of contact as part of a
vulnerability disclosure policy.
Disclosed vulnerabilities should be
acted on a timely manner.
9
Example of bad:
The web exploit in question is called DNS
rebinding, an attack first disclosed at the
RSA Conference in 2008.
The severity of this vulnerability, and the
continued negligence by the Radio Thermostat
Company of America who’ve had years to fix it,
are perfect examples of why we need security
regulation for IoT devices.
https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-
rebinding-ea7098a2d325

10. 3. Keep software
updated
Software components should be
securely updateable.
Constrained devices that cannot
physically be updated, should be
isolatable and replaceable.
https://www.iottechnews.com/news/2017/apr/07/amnesia-yet-another-iot-
botnet-targets-global-dvrs/
Example of bad:
Amnesia targeted digital video recorders
(DVRs) by exploiting an unpatched remote
code execution vulnerability disclosed a
year before the attacks.

11. 4. Securely store
credentials &
sensitive data
11
Any credentials shall be stored
securely within services and on
devices. Hard-coded credentials in
device software are not acceptable.
Example of bad:
WeMo devices put the signing key in the
firmware; so the attacker can sign firmware
updates…
Source: https://arstechnica.com/information-technology/2014/02/password-leak-in-wemo-
devices-makes-home-appliances-susceptible-to-hijacks/

12. 6. Minimise
exposed attack
surfaces
13
All devices and services should operate
on the ‘on the principle of least privilege’;
unused ports should be closed; code
should be minimized. Software runs with
appropriate privileges.
Example of bad:
2 billion logs containing everything from user
passwords to account reset codes and even a
"smart" camera recorded conversation on the
Orvibo platform, exposed to the Internet
through misconfigured Elasticsearch API
without any password protection.
Souurce:
https://www.forbes.com/sites/daveywinder/2019/07/02/confirmed-2-
billion-records-exposed-in-massive-smart-home-device-breach

13. 8. Ensure that personal data is
protected
15
Where devices and/or services
process personal data, they shall do so
according to regulation e.g., GDPR
Example of bad:
The data breach caused e-mails,
passwords and 2 million voice messages
recorded on toys be breached, and at
some point held in ransom.
Source: https://www.bbc.co.uk/news/technology-39115001

14. 10. Monitor system telemetry data
17
If telemetry data is collected from IoT
devises and services, such as usage
and measurement data, it should be
monitored for security anomalies.
Example of bad:
The attackers used the IoT thermometer,
which was connected to the casino’s
network, to gain a foothold in the network.
Once inside, they pulled data across the
network, out the thermostat and up to the
cloud. 10 GB off to a device in Finland
before the threat was detected and
stopped.
https://digit.fyi/iot-thermometer-fish-tank-hack/

15. 11. Make it easy for consumers to
delete personal data
18
Consumers should be given clear
instructions on how to delete their
personal data.
Bad example:
Old car is still in the management app,
never expires
Used home automation hub comes with
old owner’s devices, and don’t go away
with factory reset Source: https://securityintelligence.com/an-iot-love-story-always-apart-never-disconnected/

16. 12. Make
installation and
maintenance of
devices easy
19
Installation and maintenance should
employ minimal steps and follow
security best practice on usability.
Example of bad:
Resetting to factory settings should not
require a sequence of precise steps
Usability affects security
https://www.youtube.com/watch?v=1BB6wj
6RyKo

17. Guidelines
improve
security
hygiene
Basic security hygiene can take us a long
way.
Integrity of the system is at the heart of it all
User education can put pressure on
manufacturers

18. Thank you