Previously i’ve talked about how the vulnerabilities exploited in the Mirai DDOS are a remnants of the past, not a sign of the future. But at the same time vendors creating IoT devices do need think about security closely to make sure they’re not part of a future botnet. I’m fortunate to have a foot in both worlds as co-founder of app developers Dogtown Media and penetration testers Tiro Security and have a fairly unique viewpoint as i get to play poacher and gamekeeper with IoT.
I thought I would give 10 practical IoT hardening tips for IoT companies. This isn’t meant to be a comprehensive list, but your top 10 boxes to tick to stop silly exploits like Mirai taking control of your devices. If you need any more information contact me on linked-in or here.
Remove unneeded services
On almost every IoT device I see come through the door for development is unnecessary services running. What I mean by services is things like a web server, or an admin interface that just isn’t needed for the production model. Mirai used Telnet to gain access, an admin port which hasn’t been actively used my most people for 10+ years. There just no needed for it to be open. Netstat is a great terminal command to see what service are open. On Linux the following command will show you what services are running and which processes are associated with them:
sudo netstat -tunlpRemove or disable default accounts
Mirai used a series of default or easily guessable username and password combinations like root/root. It’s critical these are changed and default accounts disabled. A great example would be the default account on a Raspberry Pi. Which is pi / raspberry. I’m sure there are thousands of devices on the web with this combination enabled. I did a quick search on Shodan which catalogs whats devices are running on the Internet and i found roughly 42K devices. I’m sure at least 10% of those have default credentials which would allow admin access.
Use strong passwords
Sound like a no-brainer but again and again I find bad development passwords passed into production environments all the time. Use some crazy long passwords with uppercase, lowercase, numbers and letters and you should stop password attacks in their tracks.
Use strong authentication methods
If you really must have administrative ports open to the Internet like SSH then use public/private key pairs and remove password authentication methods. This stops malware and hackers trying to guess passwords.
Encryption — use it
Most IoT devices will support strong transport and storage encryption but implementing these often get put to one side in the rush for development. Storing user details and passwords is critical in case this device ever ends up on ebay and private information is revealed to the buyer.
Firewalls
An IoT device built on top of Linux will more than likely have the iptables firewall already built in. Taking a few hours to configure a simple firewall on your production build could really make it that more difficult for hackers to gain and remote control the device. The firewall configuration should include outbound as well as inbound rules.
Embedded System Signed Code
Some IoT hacking is based on the attacker being able to code their own firmware and replace the manufacturer’s code on the device. This can be countered by using a digital signing mechanism where only the manufacturers signed code is allowed to be loaded onto the device. This could really slow down or stop a hacker trying use your device for their purposes.
Disable or remove physical ports
I’ve seen many hacking demonstrations where the researchers have taken a device apart to find a USB, or network port and connect in a way that the manufacturers didn’t account for. Physically remove or disable these ports on your device if it doesn’t need them. If they are needed for maintenance or updates then disable them at a software level when not in use.
Auto-updates
If possible code your device to pull down new updates automatically to make sure that you can provide security updates in a timely manner.
Hire security professionals to hack your device
IoT teams often have good budgets, and could definitely spend money on getting a security consultant in-house for a few weeks to test a prototype and make recommendations. Build testing into your quarterly budget and take their advice.
