This document summarizes guidelines for improving Internet of Things (IoT) security. It outlines 12 guidelines including securing credentials and sensitive data, keeping software updated, minimizing exposed attack surfaces, ensuring personal data is protected, monitoring system telemetry for anomalies, making it easy for users to delete personal data, and prioritizing usability in installation and maintenance. The guidelines are aimed at establishing basic security hygiene practices to help address issues like default passwords, lack of software updates, and exposed vulnerabilities that have allowed IoT botnets and data breaches in the past. Following the guidelines would help improve the overall security and privacy of IoT systems.
2. About me
Senior Researcher at New
Ventures at Nominet, the registry
for UK domain names
Specialise in computer networks
and currently on IoT access control,
and personal data protection.
3. 3
Internet of Things (IoT) promises a smarter future
Things Networks Data, Applications
Flood
monitoring
connect to , generate enabling new
4. 4
IoT needs to improve its
reputation
4
Not easy to use
Not secure
Not private
or interoperable
5. 5
Need to secure end-to-end
Things Networks Data, Applications
Flood
monitoring
connect to , generate enabling new
Things vary in
their capabilities
Various
communication
patterns and network
architectures
Multiple protocols
(proprietary or
standards)
Security
requirements are
diverse
6. Security Makes IoT a Market for Lemons?
Information Asymmetry Consumers have no
ability to differentiate between the safe and
dangerous devices.
Leads to a spiral effect of quality of goods in
a market degrading leaving only "lemons"
behind.
Negative Externalities mean the cost of a
poor product is suffered by a third party.
May lead to market failure necessitating
regulation.
6
Source: https://www.iotsecurityfoundation.org/market-for-lemons/
7. UK Code of Practice for Consumer IoT
SecurityVoluntary code of practice
In June 2019, DCMS ran a
consultation on mandatory
requirements to ensure
baseline IoT security
IoT security label
NOMINET IOT PRIVACY
7
Source: DCMS
8. 1. No default universal passwords
All IoT device passwords shall be
unique and not resettable to any
universal factory default value.
NOMINET IOT PRIVACY
8
Example of bad:
Mirai botnet launched a brute force attack,
trying commonly used administrative
passwords on IoT devices like surveillance
cameras, and DVR players.
Took over 600K devices = Unprecedented
DDoS power
Source: Cisco. Data from a honeypot, showing devices
are distributed all around the world.
https://umbrella.cisco.com/blog/2017/01/05/future-
assaulting-internet-mirai/
9. 2. Implement a
vulnerability
disclosure
policy
9
All companies shall provide a public
point of contact as part of a
vulnerability disclosure policy.
Disclosed vulnerabilities should be
acted on a timely manner.
9
Example of bad:
The web exploit in question is called DNS
rebinding, an attack first disclosed at the
RSA Conference in 2008.
The severity of this vulnerability, and the
continued negligence by the Radio Thermostat
Company of America who’ve had years to fix it,
are perfect examples of why we need security
regulation for IoT devices.
https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-
rebinding-ea7098a2d325
10. 3. Keep software
updated
Software components should be
securely updateable.
Constrained devices that cannot
physically be updated, should be
isolatable and replaceable.
https://www.iottechnews.com/news/2017/apr/07/amnesia-yet-another-iot-
botnet-targets-global-dvrs/
Example of bad:
Amnesia targeted digital video recorders
(DVRs) by exploiting an unpatched remote
code execution vulnerability disclosed a
year before the attacks.
11. 4. Securely store
credentials &
sensitive data
11
Any credentials shall be stored
securely within services and on
devices. Hard-coded credentials in
device software are not acceptable.
Example of bad:
WeMo devices put the signing key in the
firmware; so the attacker can sign firmware
updates…
Source: https://arstechnica.com/information-technology/2014/02/password-leak-in-wemo-
devices-makes-home-appliances-susceptible-to-hijacks/
12. 6. Minimise
exposed attack
surfaces
13
All devices and services should operate
on the ‘on the principle of least privilege’;
unused ports should be closed; code
should be minimized. Software runs with
appropriate privileges.
Example of bad:
2 billion logs containing everything from user
passwords to account reset codes and even a
"smart" camera recorded conversation on the
Orvibo platform, exposed to the Internet
through misconfigured Elasticsearch API
without any password protection.
Souurce:
https://www.forbes.com/sites/daveywinder/2019/07/02/confirmed-2-
billion-records-exposed-in-massive-smart-home-device-breach
13. 8. Ensure that personal data is
protected
15
Where devices and/or services
process personal data, they shall do so
according to regulation e.g., GDPR
Example of bad:
The data breach caused e-mails,
passwords and 2 million voice messages
recorded on toys be breached, and at
some point held in ransom.
Source: https://www.bbc.co.uk/news/technology-39115001
14. 10. Monitor system telemetry data
17
If telemetry data is collected from IoT
devises and services, such as usage
and measurement data, it should be
monitored for security anomalies.
Example of bad:
The attackers used the IoT thermometer,
which was connected to the casino’s
network, to gain a foothold in the network.
Once inside, they pulled data across the
network, out the thermostat and up to the
cloud. 10 GB off to a device in Finland
before the threat was detected and
stopped.
https://digit.fyi/iot-thermometer-fish-tank-hack/
15. 11. Make it easy for consumers to
delete personal data
18
Consumers should be given clear
instructions on how to delete their
personal data.
Bad example:
Old car is still in the management app,
never expires
Used home automation hub comes with
old owner’s devices, and don’t go away
with factory reset Source: https://securityintelligence.com/an-iot-love-story-always-apart-never-disconnected/
16. 12. Make
installation and
maintenance of
devices easy
19
Installation and maintenance should
employ minimal steps and follow
security best practice on usability.
Example of bad:
Resetting to factory settings should not
require a sequence of precise steps
Usability affects security
https://www.youtube.com/watch?v=1BB6wj
6RyKo
We are part of the Internet DNS infrastructure, and develop cyber-security solutions for UK government and enterprises
Nothing really interconnects
Devices may turn into bricks if companies discontinue service
Security threats are a reality: IoT-enabled DDoS attacks, IoT ransomware attacks
Creep factor may affect adoption
is a well-known[1] 1970 paper by economist George Akerlof
which examines how the quality of goods traded in a market can degrade in the presence of information asymmetry between buyers and sellers, leaving only "lemons" behind. In American slang, a lemon is a car that is found to be defective only after it has been bought.
Consumers have no ability to differentiate between the safe and dangerous devices.
When there is Information Asymmetry, consumers differentiate by price, which may drive out good quality products out of the market.
Negative Externalities mean bad effects of the market are felt by third parties, in other words the cost of a poor product is suffered by a third party.
Such market failure may necessitate regulation!
The UK's Department for Digital, Culture, Media and Sport ("DCMS") has released a voluntary code of practice to help Internet of Things companies to achieve a "secure by design" approach, including to comply with applicable data protection laws, such as the GDPR, from the earliest stages of the design process.
In February 2019, ETSI, the European Standards Organisation, launched the first globally-applicable industry standard on internet-connected consumer devices. ETSI Technical Specification 103 645 brings together what is widely considered good practice in consumer IoT security. The ETSI standard builds on the Code of Practice, but has been designed to work for European and wider global needs.
Mirai bots scan the IPv4 address space for devices that run telnet or SSH, and attempt to log in using a hardcoded dictionary of IoT credentials. Once successful, the bot sends the victim IP address and associated credentials to a report server, which asynchronously triggers a loader to infect the device. Infected hosts scan for additional victims and accept DDoS commands from a command and control (C2) server.
Telnet connection using 10 username and password pairs selected randomly from a pre-configured list of 62 credentials.
thousands of potentially exploitable vulnerabilities that would have gone unfixed had they not been reported.
A VDP is the digital equivalent of “if you see something, say something.” It’s intended to give ethical hackers (also known as “researchers” or “finders”), or anyone who stumbles across something amiss—clear guidelines for reporting potentially unknown or harmful security vulnerabilities to the proper person or team responsible. Think of this real-life analogy: you walk past a neighbor’s house and see their back door was left wide open. What would you do? You’d probably knock on their door, holler to see if they were home, or maybe even call them. But for technology, it’s not that simple. You might not know how to contact them, where to find a phone number or email address. Furthermore, you wouldn’t know if your email or voicemail ever made it to the correct person, or anyone at all. Or, after looking for and not finding an appropriate contact channel, most of us would probably just give up. The result, nearly every time, is that nothing happens...except that the vulnerability remains and the organization is unaware.
2018 IoT Security Foundation Study: 90.3% Companies without a disclosure policy.
The situation is worse for the computers embedded in IoT devices. In a lot of systems—both low-cost and expensive—users have to manually download and install relevant patches. Often the patching process is tedious and complicated, and beyond the skill of the average user. Sometimes, ISPs have the ability to remotely patch things like routers and modems, but this is also rare. Even worse, many embedded devices don’t have any way to be patched. Right now, the only way for you to update the firmware in your hackable DVR is to throw it away and buy a new one.
In 2015, Chrysler recalled 1.4 million vehicles to patch a security vulnerability. The only way to patch them was for Chrysler to mail every car owner a USB drive to plug into a port on the vehicle’s dashboard. In 2017, Abbott Labs told 465,000 pacemaker patients that they had to go to an authorized clinic for a critical security update. At least the patients didn’t have to have their chests opened up.
https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
thousands of potentially exploitable vulnerabilities that would have gone unfixed had they not been reported.
A VDP is the digital equivalent of “if you see something, say something.” It’s intended to give ethical hackers (also known as “researchers” or “finders”), or anyone who stumbles across something amiss—clear guidelines for reporting potentially unknown or harmful security vulnerabilities to the proper person or team responsible. Think of this real-life analogy: you walk past a neighbor’s house and see their back door was left wide open. What would you do? You’d probably knock on their door, holler to see if they were home, or maybe even call them. But for technology, it’s not that simple. You might not know how to contact them, where to find a phone number or email address. Furthermore, you wouldn’t know if your email or voicemail ever made it to the correct person, or anyone at all. Or, after looking for and not finding an appropriate contact channel, most of us would probably just give up. The result, nearly every time, is that nothing happens...except that the vulnerability remains and the organization is unaware.
Actually, this happened because some IP camera models didn’t authenticate users exposing video feeds of people’s cameras, but also if it had credentials, it stored them in plain text etc.
thousands of potentially exploitable vulnerabilities that would have gone unfixed had they not been reported.
A VDP is the digital equivalent of “if you see something, say something.” It’s intended to give ethical hackers (also known as “researchers” or “finders”), or anyone who stumbles across something amiss—clear guidelines for reporting potentially unknown or harmful security vulnerabilities to the proper person or team responsible. Think of this real-life analogy: you walk past a neighbor’s house and see their back door was left wide open. What would you do? You’d probably knock on their door, holler to see if they were home, or maybe even call them. But for technology, it’s not that simple. You might not know how to contact them, where to find a phone number or email address. Furthermore, you wouldn’t know if your email or voicemail ever made it to the correct person, or anyone at all. Or, after looking for and not finding an appropriate contact channel, most of us would probably just give up. The result, nearly every time, is that nothing happens...except that the vulnerability remains and the organization is unaware.
thousands of potentially exploitable vulnerabilities that would have gone unfixed had they not been reported.
A VDP is the digital equivalent of “if you see something, say something.” It’s intended to give ethical hackers (also known as “researchers” or “finders”), or anyone who stumbles across something amiss—clear guidelines for reporting potentially unknown or harmful security vulnerabilities to the proper person or team responsible. Think of this real-life analogy: you walk past a neighbor’s house and see their back door was left wide open. What would you do? You’d probably knock on their door, holler to see if they were home, or maybe even call them. But for technology, it’s not that simple. You might not know how to contact them, where to find a phone number or email address. Furthermore, you wouldn’t know if your email or voicemail ever made it to the correct person, or anyone at all. Or, after looking for and not finding an appropriate contact channel, most of us would probably just give up. The result, nearly every time, is that nothing happens...except that the vulnerability remains and the organization is unaware.
thousands of potentially exploitable vulnerabilities that would have gone unfixed had they not been reported.
A VDP is the digital equivalent of “if you see something, say something.” It’s intended to give ethical hackers (also known as “researchers” or “finders”), or anyone who stumbles across something amiss—clear guidelines for reporting potentially unknown or harmful security vulnerabilities to the proper person or team responsible. Think of this real-life analogy: you walk past a neighbor’s house and see their back door was left wide open. What would you do? You’d probably knock on their door, holler to see if they were home, or maybe even call them. But for technology, it’s not that simple. You might not know how to contact them, where to find a phone number or email address. Furthermore, you wouldn’t know if your email or voicemail ever made it to the correct person, or anyone at all. Or, after looking for and not finding an appropriate contact channel, most of us would probably just give up. The result, nearly every time, is that nothing happens...except that the vulnerability remains and the organization is unaware.
thousands of potentially exploitable vulnerabilities that would have gone unfixed had they not been reported.
A VDP is the digital equivalent of “if you see something, say something.” It’s intended to give ethical hackers (also known as “researchers” or “finders”), or anyone who stumbles across something amiss—clear guidelines for reporting potentially unknown or harmful security vulnerabilities to the proper person or team responsible. Think of this real-life analogy: you walk past a neighbor’s house and see their back door was left wide open. What would you do? You’d probably knock on their door, holler to see if they were home, or maybe even call them. But for technology, it’s not that simple. You might not know how to contact them, where to find a phone number or email address. Furthermore, you wouldn’t know if your email or voicemail ever made it to the correct person, or anyone at all. Or, after looking for and not finding an appropriate contact channel, most of us would probably just give up. The result, nearly every time, is that nothing happens...except that the vulnerability remains and the organization is unaware.
thousands of potentially exploitable vulnerabilities that would have gone unfixed had they not been reported.
A VDP is the digital equivalent of “if you see something, say something.” It’s intended to give ethical hackers (also known as “researchers” or “finders”), or anyone who stumbles across something amiss—clear guidelines for reporting potentially unknown or harmful security vulnerabilities to the proper person or team responsible. Think of this real-life analogy: you walk past a neighbor’s house and see their back door was left wide open. What would you do? You’d probably knock on their door, holler to see if they were home, or maybe even call them. But for technology, it’s not that simple. You might not know how to contact them, where to find a phone number or email address. Furthermore, you wouldn’t know if your email or voicemail ever made it to the correct person, or anyone at all. Or, after looking for and not finding an appropriate contact channel, most of us would probably just give up. The result, nearly every time, is that nothing happens...except that the vulnerability remains and the organization is unaware.
thousands of potentially exploitable vulnerabilities that would have gone unfixed had they not been reported.
A VDP is the digital equivalent of “if you see something, say something.” It’s intended to give ethical hackers (also known as “researchers” or “finders”), or anyone who stumbles across something amiss—clear guidelines for reporting potentially unknown or harmful security vulnerabilities to the proper person or team responsible. Think of this real-life analogy: you walk past a neighbor’s house and see their back door was left wide open. What would you do? You’d probably knock on their door, holler to see if they were home, or maybe even call them. But for technology, it’s not that simple. You might not know how to contact them, where to find a phone number or email address. Furthermore, you wouldn’t know if your email or voicemail ever made it to the correct person, or anyone at all. Or, after looking for and not finding an appropriate contact channel, most of us would probably just give up. The result, nearly every time, is that nothing happens...except that the vulnerability remains and the organization is unaware.
Locus Energy has patched 100,000 of its residential and commercial power meters that were vulnerable to command injection attacks and code execution.
Requires system to be correct, non-by passable, and tamperproof
Requires monitoring for unauthorized changes
Extends to secure updates and maintenance
thousands of potentially exploitable vulnerabilities that would have gone unfixed had they not been reported.
A VDP is the digital equivalent of “if you see something, say something.” It’s intended to give ethical hackers (also known as “researchers” or “finders”), or anyone who stumbles across something amiss—clear guidelines for reporting potentially unknown or harmful security vulnerabilities to the proper person or team responsible. Think of this real-life analogy: you walk past a neighbor’s house and see their back door was left wide open. What would you do? You’d probably knock on their door, holler to see if they were home, or maybe even call them. But for technology, it’s not that simple. You might not know how to contact them, where to find a phone number or email address. Furthermore, you wouldn’t know if your email or voicemail ever made it to the correct person, or anyone at all. Or, after looking for and not finding an appropriate contact channel, most of us would probably just give up. The result, nearly every time, is that nothing happens...except that the vulnerability remains and the organization is unaware.