Implementing IoT Security Best Practice
The adoption of Internet of Things (IoT) technology is a growing trend in various sectors. Startups, small and medium-sized enterprises (SMEs), and other enterprises have started adopting IoT technology to create business values for their products and bring about new customer experience. As focus remains on the functions and features that IoT technology brings, not many people fully understand the accompanying potential security risks.
As more and more appliances are applying smart technologies for functions such as providing remote control via mobile devices and collecting data through wireless technology or the Internet, they also create new attack surfaces. Attackers could try to take control of the devices, steal sensitive information from them or even cause other physical damages. For example, a vulnerability found in a hair straightener could allow an attacker to remotely tune its temperature up to 235 degree Celsius. If this is placed near flammable objects, the heat could cause a fire.
In the meantime, attackers have already capitalised on the security vulnerabilities of IoT devices, turning them into botnet, and using them to launch large-scale DDoS attacks. For example, in October 2016, hackers seized control of over 100,000 IoT devices to form the Mirai Botnet and launched a large-scale DDoS attack to bring down the domain registration services provider, Dyn, causing outage of major Internet services including Airbnb, Netflix, Twitter.
The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) had published security advisories "Mirai Malware Cleanup and Prevention" and "IoT Device (Webcam) Security Study" to respond to incidents related to IoT devices. Also, we observed that many security issues arose from a lack of security consideration in the design and development of IoT devices. To address this issue, HKCERT has compiled the “IoT Security Best Practice Guidelines” for developers to adopt IoT security at the early stage of design and development. The guidelines covers common security issues in four layers of IoT solutions:
- Perception layer
- Network layer
- Management layer
- Application layer
The guidelines includes security best practices and a simple checklist for self-verification. It aims to help developers incorporate IoT security best practices starting from the design stage and throughout the development cycles. In addition, this guideline may serve start-ups, SMEs or enterprises as a reference of security specifications in the sourcing of IoT solutions. General users can also learn more about IoT security best practices through this guideline and raise the security awareness in using IoT devices.
Please click to download the "IoT Security Best Practice Guidelines". Should users or developers have any comments or enquires about the guideline, they are most welcome to contact HKCERT via email: [email protected] or its 24-hour telephone hotline: 8105 6060.