Mark O'Neill and I just published Top Ten Security Considerations for Internet of Things. It was very a lot of fun to work on this on a personal and professional level. I have been a big fan of Mark's work for along time. I only got to work with him once before when we did a full day of Web Services security at the OWASP AppSec conference, we had a full day just on WS and had a great lineup of speakers including Mark and Brad Hill.
Turns out that Web services play a leading role in Internet of Things, and the space is so full of amazing use case right now, its great to be able to tackle the security issues and work to get more secure applications than the industry managed to do for the original Internet.
We have learned a lot in 20 years on the web and now is the time to apply it to IoT. Its not so simple actually because some new curveballs come into consideration due to the nature of IoT systems. The paper is available here, and below is a summary of the top ten.
The Internet of Things (IoT) is an industry megatrend that holds the promise to open up new ways of doing business and communicating. The core difference between Internet of Things and previous computing revolutions is that the human user is usually the catalyst, we go to our PC to do some work, we go to the Web to do some research or check mail. In the Internet of Things, the thing talks back.
Context matters in security and that goes double for IOT. The IOT use cases that have appeared so far tend to be very domain specific. That trend looks set to continue. We will examine scenarios in the Automotive and Utilities industry to look at the unique security considerations in those IOT environments.
So let’s “State the problem” by listing the Top Ten Security Considerations for the Internet of Things:
1. Protocol Proliferation
This is the Web but not as we’ve known it. The myriad of IOT protocols make the security architect’s job vastly more complicated than web app security which deals primarily with HTTP.
IOT has many different ways to initiate the protocol dance: active clients, passive clients, client initiation, and server initiation.
Many current IOT devices rely on hard coded access keys, leaving them vulnerable to brute force, spoofing and other attacks.
The IT industry has become reasonably good at identifying human users, with Active Directory, LDAP and application user databases, but objects? Not so much. Consistent naming is the key to defining and enforcing policy.
5. Constrained Devices
Despite the challenges in IOT we do have many security protocols to choose from, however the deployments are limited by the processing power on the device side.
There are many IOT technologies, such as NFC (Near Field Communication), for smartphones and similar devices that do not have the concept of time. This may not seem like a security issue, until you realize that virtually all authentication protocols use time as a primary defense mechanism.
Will existing protocols like Kerberos, X.509, Federation, OAuth, SAML and others be up to the challenge of securing Machine to Machine communications when there is not a user present to initiate?
Vulnerabilities will be found in IOT systems, but how will they be patched? IOT systems require management systems for patching and versioning.
9. Stunt Hackers
Hacking IOT is a great way to generate headlines, there will be an endless flow of security research, the more interesting the device the more the attacker interest.
10. Ugly failure modes
IOT apps are real things, when they fail so does your power, your supply chain, your fleet tracking and so on. Worse as we discussed in #7 Usability retry and restart may be somewhere between difficult and impossible.
Full paper is here.