Analyzing IoT Security Best Practices

New research: "Best Practices for IoT Security: What Does That Even Mean?" by Christopher Bellman and Paul C. van Oorschot:

Abstract: Best practices for Internet of Things (IoT) security have recently attracted considerable attention worldwide from industry and governments, while academic research has highlighted the failure of many IoT product manufacturers to follow accepted practices. We explore not the failure to follow best practices, but rather a surprising lack of understanding, and void in the literature, on what (generically) "best practice" means, independent of meaningfully identifying specific individual practices. Confusion is evident from guidelines that conflate desired outcomes with security practices to achieve those outcomes. How do best practices, good practices, and standard practices differ? Or guidelines, recommendations, and requirements? Can something be a best practice if it is not actionable? We consider categories of best practices, and how they apply over the lifecycle of IoT devices. For concreteness in our discussion, we analyze and categorize a set of 1014 IoT security best practices, recommendations, and guidelines from industrial, government, and academic sources. As one example result, we find that about 70\% of these practices or guidelines relate to early IoT device lifecycle stages, highlighting the critical position of manufacturers in addressing the security issues in question. We hope that our work provides a basis for the community to build on in order to better understand best practices, identify and reach consensus on specific practices, and then find ways to motivate relevant stakeholders to follow them.

Back in 2017, I catalogued nineteen security and privacy guideline documents for the Internet of Things. Our problem right now isn't that we don't know how to secure these devices, it's that there is no economic or regulatory incentive to do so.

Posted on June 25, 2020 at 7:09 AM • 8 Comments

Comments

TimHJune 25, 2020 8:36 AM

It's not just the insecurity of these products. It's that they are unecessarily tied to the manufacturer's servers for even basic functionality, so can be rendered non-functioning at a whim.

wiredogJune 25, 2020 9:16 AM

Annnd The first 2 comments are spam. I've seen a LOT of spam comments scattered across various sites in the last 2 weeks. SpamAI(TM) must be getting better.

I think the closest things I have to IoT devices are my Tivo and my Amazon Fire, both of which have good support and are, afaik, fairly secure. Otherwise I figure I need no smart thingies. I wouldn't have a Tivo, except there doesn't seem to be a better (or even as good) DVR option.

markJune 25, 2020 11:48 AM

How often does the vendor supply bugfix and security updates?

Are there ANY vendors that do that?

Unless and until, the best practice for securing IoT is JUST SAY NO to, as one columnist put it, the Internet of Gratuitously Connected Insecure Things (pronounced i-dgit, or idiot).

Ian FitzgeraldJune 25, 2020 3:12 PM

IOT security, or lack there of, gives me nightmares particularly as a CIO of utilities. Many of these unsecured home IOT devices are network connected via protocols like Zigby. Connecting IOT devices to meters, which are connected directly to an enterprise network that provides the foundation of our critical infrastructure is a back-door that is waiting to be exploited.

Jesse ThompsonJune 25, 2020 7:09 PM

Security and privacy guideline #20:
Always maintain data (including but not limited to text) in the proper encoding in order to render it correctly in every context.

91\% of security researchers agree that's important to defend against SQL injection attacks, buffer overflows, and privilege esc+++.,__Disregard that, time is running out to take advantage of these low, low prices! 🔥👌🤦‍♂️

andy fletcherJune 26, 2020 5:30 AM

@moderator

Probably stating the obvious but the message from "ketsatnganhang ketsatwelko" is spam.

I'm actually impressed by the sheer number of links in the posting - it must be some sort of record!

Andy

vas pupJune 26, 2020 2:16 PM

@Bruce said "Our problem right now isn't that we don't know how to secure these devices, it's that there is no economic or regulatory incentive to do so."

I still can't get the idea that providing security and real control to the customer does not have economic incentive.

As many commercials compared their car with other cars based on safety provided in the case of accident, by the same token manufacture of IoT may capitalize on comparing advantages of their product in security, customer control, protecting privacy.

Regarding regulatory incentive, as I stated more this respected blog, for our regulator (I mean legislators)understanding of necessity for regulatory incentive comes only out their own (or close relatives) bad experience -when they become victim of poor security and privacy protection of IoT device, and as more of them (regulators) are actually affected, the higher probability regulatory incentive going to be introduced. Otherwise, their aids/assistants with education primary in liberal arts and close to zero understanding of technology, will just put stop on any suggestions which they could not apprehend.

JohnJune 30, 2020 8:15 AM

I like the Nutrition Label idea the best. It is a light-touch by Govt for evolving technology, but depending on what is mandated on the label, can be a hammer.

Computing & IoT devices need to have a few things printed on the box:

* Support EoL date
* Patch schedule
* What works without internet connectivity
* What requires internet connectivity to work
* List of all {domains|IPs}:{ports} required for each network connection
* List of protocols used for each external connectivity
* 2FA standards supported
* How new firmware is updated – USB flashing, network load, something else
* Exact data captured and exact uses and sharing

We need to handle tiny buttons from Amazon used for ordering and vehicles that might be sold to complete strangers and rental vehicles with this label.

How can a car renter flush the data before returning the vehicle? How can online service connections for re-sold vehicles be formally transferred to the new owner which includes wiping all old data?

Does our speaker/microphone share data anywhere else?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.