Internet of Things Security Principles
Internet of Things Security Principles
Internet of Things Security Principles
Juanita Powell
ECPI University
MSCS654
Internet Of Things Security Principles 2
Introduction
In today’s world everything is connected. You can literally turn on your crockpot from your
phone while you’re standing in line at Target. Check on your sleeping baby while you watch a
movie. Though these modern conveniences are great, the interconnectivity of these devices—the
With the rapid growth of products now being developed as an IoT device, many
companies are pushing too fast to capitalize on this new market and are sacrificing security. The
FTC has already identified this as an issue and is urging companies to build security into devices
from the beginning. Companies should conduct privacy assessments and consider risks
associated with the collection of consumer data. Built-in security features should be tested before
taking the product to market, and companies should also ensure internal security practices
promote good security (Baier, 2015). If security was built in the development plan from the
beginning there would be fewer issues. Security needs to be included in all phases of the product
to include updating/patching after being purchased. Because IoT devices will eventually exist
everywhere in the environment there are three key areas to focus on to secure IoT devices;
physical security, communication between devices, and the management system onboard. This
creates the need to design tamper resistance into devices so that it is difficult to extract sensitive
information like personal data, cryptographic keys, or credentials. Finally, we expect IoT devices
to have long lives so it is important to enable software updates to address the inevitable exploits
An indirect way of securing IoT devices is to minimize the amount of data collected and
protect the data that is stored elsewhere. This reduces the potential harm associated with data
breaches. The Commission urges companies to impose reasonable limits for collection of data.
For example, collecting a zip code instead of exact geolocation (Baier, 2015).
The Nest thermostat is a smart home automation device that aims to learn about your
heating and cooling habits to help optimize your scheduling and power usage. Debuted in 2010,
the smart Nest devices have been proved a huge success that Google spent $3.2B to acquire the
whole company (Jin, Hernandez, & Buentello, 2014). The Nest company takes security very
seriously and the company's founder has said the company has a dedicated hacking team probing
the devices for vulnerabilities. If the Nest can be hacked, it means even the best-protected
embedded device is vulnerable (Wagenseil, 2014). The Nest family of products believe in
building security into every facet of their products that is why they are repeatedly voted as one of
Travel routers and IP-based cameras are among the IoT devices that can be easily
exploited. A travel router made by TrendNet -TEW714TRU makes command injection easy. An
attacker could inject commands unauthenticated over a LAN port, and combine them with a
remote code execution vulnerability in another layer. Another travel router, M5250, made by TP-
LINK, admin credentials can be fetched via an SMS. If an attacker sends an SMS to the router, it
sends back data, including login information like the name, SSID, and admin password, in
plaintext. Another device, an IP-enabled camera made by China-based VStarcam, has easily
cracked passwords. Even after an update was pushed the root shell and passwords from the
Internet Of Things Security Principles 4
device were able to be found via Google (Brook, 2017). The IoT devices that continually fail
have similarities in their poor security fundamentals. They all seem to have a combination of the
following: insufficient authorization, lack of transport encryption, insecure web interface, and
insecure software/firmware. About 80 percent of the tested devices failed to ask for passwords of
sufficient complexity and length. 70 percent of the IoT devices did not use encryption when
transmitting sensitive data across the LAN and internet. 70 percent of the devices with the cloud
and mobile app allow attackers to identify users through account enumeration. 60 percent of the
tested device's web interfaces were vulnerable to cross-site scripting, had poor session
Conclusion
There are many challenges to securing the IoT, many unique to each layer of the IoT
framework. Robust security begins by building it into the devices themselves. Even small,
confidentiality, integrity, and authenticity when communicating over the network. Finally, a
balance between consumer and enterprise privacy and the insight and value derived from the
References
Baier, E. (2015, February 18). New Security Solutions Emerge as IoT Moves into the Public
solutions-emerge-iot-in-public-spotlight/
Brook, C. (2017, April 10). Travel Routers, NAS Devices Among Easily Hacked IoT Devices.
easily-hacked-iot-devices/124877/
Fife, C. (2015, April 9). What’s Required To Secure The IoT? Retrieved from Citrix:
https://www.citrix.com/blogs/2015/04/09/whats-required-to-secure-the-iot/
Jin, Y., Hernandez, G., & Buentello, D. (2014). SMART NEST THERMOSTAT: A SMART
14/briefings.html#smart-nest-thermostat-a-smart-spy-in-your-home
Kassner, M. (2014, August 11). No surprise, IoT devices are insecure. Retrieved from Tech
Republic: https://www.techrepublic.com/article/no-surprise-iot-devices-are-insecure/
Wagenseil, P. (2014, August 7). Nest Smart Thermostat Can Be Hacked to Spy on Owners.
19290.html