Device security in the internet of things—or the lack of it—keeps me up at night. For many of us working in the mobile, embedded, and IoT space, device security is a top opportunity challenge, if not the top one.
IoT security is a large and changing topic, but there is one small, basic starting point where device security can be improved during development and testing: the user interface. The UI should be the first line of defense, but it’s currently weak in most IoT devices, even critical ones such as medical or safety-related systems.
In this article I am not addressing hardware, firmware, or physical security design considerations, which are also important options for IoT teams. I’m just going to outline the basic aspects of UI and general security to give you a great starting point for enhancing the security of your IoT devices.
Typical Users Need Increased Device Security
Last year the security of IoT devices suffered a large, headline-leading event. The distributed denial-of-service (DDoS) attack using the Mirai botnet took advantage of thousands of IoT devices, mostly webcams, and impacted many popular and large websites. The attack was possible because the hijacked devices were still using default vendor passwords. Shodan, a search engine for internet-connected devices, made it easy for the attackers to know where to go with the Mirai botnet to infect and then use the unsecured devices.
The ease of the attack and its impact made the news, yet typical users remain oblivious to the basic issue and the simple actions to take to protect their own devices. I know this because I regularly probe home networks and devices of friends and family as I travel. Most of my non-IT friends only dimly seem to understand the need for a secure device setup, or how to ensure one. This tells me that technologies we build can improve the UI security setup process for IoT devices.
Basic Security Protocols Don’t Need to Be Difficult
Many of the financial and safety-critical systems I work with have logic that forces “better” initial security by strong passwords, multifactor authentication, or even biometrics. Users of these systems, in many cases, are not given a choice during setup.
Historically, these systems had a learning curve of security attacks, exposures, and regulations, to the point where developers and testers understood the need for better up-front security protocols. However, as I use and test IoT devices, these systems remind me of the early days of unsecured IT and PC systems, before hacking attacks were part of our everyday lives. IoT suffers from a lack of maturity, and it also seems that IoT development teams have not yet learned valuable security protocols from other parts of the industry.
There certainly are and will be other items to add to the list of security measures as the IoT matures, but the fact that many IoT projects are not yet doing even simple security factors says to me that the industry has room for improvement. These simple UI security factors are something a device could offer at system initialization and setup, and implementation can be done via an app, setup wizard, or other software.
Implementing UI Setup Actions to Increase Security
To start, teams should establish clear UI security protocols to aid the initial setup of IoT devices. Protocols should include online instructions, help files, wizards, encryption, and data configurations.
Consider setting up a Wi-Fi IoT camera, where after turning on the device for the first time, the user would be told why establishing a secure system and connection is important using a wizard or help files. This use case story would continue with requiring a new password that must conform to strong password rules and be verified by the wizard logic. Ideally this setup protocol would be simple enough that untrained users could go through it quickly, without calls to a help desk.
An extension of the camera story might include the ability to manage multiple cameras within the setup protocol. IoT camera configurations might have hundreds or even thousands of cameras to set up, and advanced users may want to manage “global” passwords and configurations over the large number of devices via a network. Other options may include being able to establish trusted computer abilities or enforce network security factors.
Having a setup protocol for advanced users beyond the typical, basic instructions can become a marketing advantage, as long as developers and testers consider the risk factors for the system and devices. Most network admin staff regard maintaining network security with trusted devices a top priority. In this extended example, trusted computing within a network would allow support for large-scale communications within the secure network. A trusted IoT device would support identification and actions to help determine if a device has been compromised so that corrective actions can be taken by admin.
The example security use case story should extend into the use of encryption and hashing approaches to protect internal and exported external IoT data. Many IoT devices have been found to have weak data security and privacy protocols. Access to data generated by IoT devices is one of the large selling points for many stakeholders because data analytics becomes possible aiding management, marketing, and development. However, if the data cannot be trusted or is used by the bad guys, the usefulness of the IoT device may be questioned.
Finally, extending our IoT camera examples into the future, testers should consider that the historic use of graphical UIs is becoming old-fashioned. Many users will prefer a more human-like interaction with IoT devices, such as the current interest in audio UIs such as Siri and Alexa. We already have stories of such systems accessing adult materials via the voice commands of a child, which is not desired security. A truly capable security setup interface would allow voice commands and verbal feedback for even the most novice user, while protecting users from inappropriate configurations and orders.
IoT teams should be aware of the risks involved in these examples and not design or test systems to exclude these current or advanced ideals. If IoT device projects implement some of these ideas, the security target will be raised, which will discourage attacks, considering hackers typically go for the easy target.
A “smart” system setup that enforces good security protocols for basic users, while allowing advanced security options based on risks, results in more agile, flexible, and secure IoT devices.
How Testers Can Improve IoT Security
Being a tester for most of my life, I approach security from a testing viewpoint. I think a tester’s job is to provide information to the stakeholders, which include developers, managers, customers, and users. For years now I have talked to mobile, embedded, and now IoT teams about security topics. Device security is a large topic, but based on my experience, here is my advice to IoT test teams.
Testers should include risk-based testing concepts in their test planning and design. Ask if product security risks justify some or all of the factors in the list above to be implemented. You are the independent technical eyes of the stakeholders, so do not be trapped into thinking that this device does not have security risks when developers and managers believe it has no risks.
For example, the Target stores’ point-of-sale hack began with a hack to the HVAC system. These days, HVAC systems are viewed as part of the industrial IoT. The hackers used the HVAC as a back door into Target’s computing systems and gained access to customer and credit card information. Bad guys use attack vectors that are the easiest and weakest links to get into any system.
The IoT device you are testing may become such a back door into a more secure area. Testers must consider more of the security factors for the above list. This information is the kind of feedback that testers should provide to stakeholders so that everyone can make informed decisions.
Be at the Forefront of IoT Device Security
Current data indicates that many IoT devices have little, poor, or no UI security setup support. IoT producers seem happy in early adoption to let the user have the responsibility for security. This reminds me of the early days of PCs and the web.
In the long run, the successful IoT producers will get better at device security. A good, cost-effective place for developers to start is the UI at initial startup. Think about it.