Running head: INTERNET OF THINGS 1

Internet of Things Security Principles

Juanita Powell

ECPI University

MSCS654
Internet Of Things Security Principles 2

Introduction

In today’s world everything is connected. You can literally turn on your crockpot from your

phone while you’re standing in line at Target. Check on your sleeping baby while you watch a

movie. Though these modern conveniences are great, the interconnectivity of these devices—the

Internet of Things (IoT)—is fundamentally unsecure (Baier, 2015).

Securing IoT Devices

With the rapid growth of products now being developed as an IoT device, many

companies are pushing too fast to capitalize on this new market and are sacrificing security. The

FTC has already identified this as an issue and is urging companies to build security into devices

from the beginning. Companies should conduct privacy assessments and consider risks

associated with the collection of consumer data. Built-in security features should be tested before

taking the product to market, and companies should also ensure internal security practices

promote good security (Baier, 2015). If security was built in the development plan from the

beginning there would be fewer issues. Security needs to be included in all phases of the product

to include updating/patching after being purchased. Because IoT devices will eventually exist

everywhere in the environment there are three key areas to focus on to secure IoT devices;

physical security, communication between devices, and the management system onboard. This

creates the need to design tamper resistance into devices so that it is difficult to extract sensitive

information like personal data, cryptographic keys, or credentials. Finally, we expect IoT devices

to have long lives so it is important to enable software updates to address the inevitable exploits

that are discovered after their release (Fife, 2015).

Internet Of Things Security Principles 3

An indirect way of securing IoT devices is to minimize the amount of data collected and

protect the data that is stored elsewhere. This reduces the potential harm associated with data

breaches. The Commission urges companies to impose reasonable limits for collection of data.

For example, collecting a zip code instead of exact geolocation (Baier, 2015).

Secure IoT Devices

The Nest thermostat is a smart home automation device that aims to learn about your

heating and cooling habits to help optimize your scheduling and power usage. Debuted in 2010,

the smart Nest devices have been proved a huge success that Google spent $3.2B to acquire the

whole company (Jin, Hernandez, & Buentello, 2014). The Nest company takes security very

seriously and the company's founder has said the company has a dedicated hacking team probing

the devices for vulnerabilities. If the Nest can be hacked, it means even the best-protected

embedded device is vulnerable (Wagenseil, 2014). The Nest family of products believe in

building security into every facet of their products that is why they are repeatedly voted as one of

best year after year.

Unsecured IoT Devices

Travel routers and IP-based cameras are among the IoT devices that can be easily

exploited. A travel router made by TrendNet -TEW714TRU makes command injection easy. An

attacker could inject commands unauthenticated over a LAN port, and combine them with a

remote code execution vulnerability in another layer. Another travel router, M5250, made by TP-

LINK, admin credentials can be fetched via an SMS. If an attacker sends an SMS to the router, it

sends back data, including login information like the name, SSID, and admin password, in

plaintext. Another device, an IP-enabled camera made by China-based VStarcam, has easily

cracked passwords. Even after an update was pushed the root shell and passwords from the
Internet Of Things Security Principles 4

device were able to be found via Google (Brook, 2017). The IoT devices that continually fail

have similarities in their poor security fundamentals. They all seem to have a combination of the

following: insufficient authorization, lack of transport encryption, insecure web interface, and

insecure software/firmware. About 80 percent of the tested devices failed to ask for passwords of

sufficient complexity and length. 70 percent of the IoT devices did not use encryption when

transmitting sensitive data across the LAN and internet. 70 percent of the devices with the cloud

and mobile app allow attackers to identify users through account enumeration. 60 percent of the

tested device's web interfaces were vulnerable to cross-site scripting, had poor session

management, and weak default credentials (Kassner, 2014).

Conclusion

There are many challenges to securing the IoT, many unique to each layer of the IoT

framework. Robust security begins by building it into the devices themselves. Even small,

resource-constrained devices common in the IoT must implement cryptography to maintain

confidentiality, integrity, and authenticity when communicating over the network. Finally, a

balance between consumer and enterprise privacy and the insight and value derived from the

mountains of data generated by the IoT must be found (Fife, 2015).

Internet Of Things Security Principles 5

References

Baier, E. (2015, February 18). New Security Solutions Emerge as IoT Moves into the Public

Spotlight. Retrieved from DigiCert: https://www.digicert.com/blog/new-security-

solutions-emerge-iot-in-public-spotlight/

Brook, C. (2017, April 10). Travel Routers, NAS Devices Among Easily Hacked IoT Devices.

Retrieved from Threat Post: https://threatpost.com/travel-routers-nas-devices-among-

easily-hacked-iot-devices/124877/

Fife, C. (2015, April 9). What’s Required To Secure The IoT? Retrieved from Citrix:

https://www.citrix.com/blogs/2015/04/09/whats-required-to-secure-the-iot/

Jin, Y., Hernandez, G., & Buentello, D. (2014). SMART NEST THERMOSTAT: A SMART

SPY IN YOUR HOME. Retrieved from Black Hat: https://www.blackhat.com/us-

14/briefings.html#smart-nest-thermostat-a-smart-spy-in-your-home

Kassner, M. (2014, August 11). No surprise, IoT devices are insecure. Retrieved from Tech

Republic: https://www.techrepublic.com/article/no-surprise-iot-devices-are-insecure/

Wagenseil, P. (2014, August 7). Nest Smart Thermostat Can Be Hacked to Spy on Owners.

Retrieved from Tom's Guide: https://www.tomsguide.com/us/nest-spying-hack,news-

19290.html