Product Manager's Guide to IoT Security

The world of IoT has come a long way since 1990 when an MIT scientist introduced the world’s first internet-connected toaster. Although the original smart toaster didn’t quite make it in the new millennium, we are currently living in a world that is surrounded by connected devices. This brings up an important question: how do we keep it all secure? In this guide for product managers, we'll touch the major security risks for IoT products and how to work with your software engineering team to prevent them.

Security in IoT

IoT is growing fast. Luckily, many IoT platforms (AWS IoT core, Azure IoT, etc.) have security features baked into them. In our experience, however, we’ve seen cases where security either gets bypassed (as companies rush to get a prototype out the door) or goes unaddressed because it doesn’t deliver immediate user value.

IoT security is not a sexy, user-facing topic, so it usually gets put on the back burner.

This means that product managers and developers must constantly engage with potential security concerns when building an IoT product.

IoT is multi-faceted. The many components of IoT offer a wealth of opportunities for data breaches. Each device and network connection can present a unique security risk.

Data breaches cost money and reputation. Now more than ever, users are concerned about data privacy. A breach will cost both money and public trust.

Consumer IoT Security at a Glance

You can look at IoT as a four-part data journey from the smart device, through the local network, up to the cloud, down to the companion app, and back again.

Take this example: your new home security camera detects motion at the front door. The camera captures video footage, then sends it through your home network to the cloud where it is analyzed. After running the video through some algorithms, a notification is sent to your phone telling you that a person walked by.

Quick definitions:

• Devices: These are the hardware components of your IoT product—the physical sensors and microprocessors that accompany your smart devices.
• Network: The network is the collection of devices that communicate with each other. In most home network configurations, devices communicate with other devices on the network via some kind of wireless interface (usually Wi-Fi). Wi-Fi itself is not the network.
• Cloud: This is where your data is stored and things like real-time analytics occur.
• App: This is the mobile or web interface where users primarily interact with their devices.

Each point in the IoT data journey presents its own unique security challenges, so we broke it all down for you below.

IoT Device Security

Whether it’s a home security camera or a smart faucet, if it has a Wi-Fi network connection, it can be attacked. An IoT device security attack opens the possibility for adversaries to manipulate and exfiltrate data from the device and any data running through the network. Whether the attack is successful depends on your device’s security methods. As a product manager, you can reduce security risks.

To protect against device-level security threats, start by limiting the number of attack vectors open on your device. Turn off unnecessary application protocols such as Telnet and SSH if your device does not need them during production. When in doubt, a port scanning tool (such as Nessus) can reveal potential threats which may go unnoticed by the development team. When such protocols are necessary to keep on during production, you should always disable the default login credentials.

Devices should always use secure communication protocols when connecting with the cloud (MQTT, HTTPS, WebSockets, etc.). Secure communication usually requires the device to store a private key in order to authenticate itself with the cloud service. The private key should be stored and used in such a way that it cannot be dumped from the MCU’s flash memory, such as on a cryptographic processor.

Even with every attempt to make your IoT device perfectly secure the first time, over time, you’ll need to update the device firmware to meet the latest security threats. Having an over-the-air (OTA) update strategy and infrastructure in place is paramount to maintaining device security throughout your product’s lifespan.  It is often worthwhile to bring on a security consultant to run a security audit on your devices if you don’t have that expertise in-house. When a vulnerability is identified, make sure to promptly deploy a device firmware update to resolve it.

To review, product managers should keep these security best practices in mind when designing an IoT device:

• Devices should use a secure communication protocol for interacting with the cloud
• Store private keys on a cryptographic processor instead of the MCU’s flash memory
• Regularly update device firmware to keep up with the latest security concerns

IoT Network Security

Your IoT devices might use a combination of Bluetooth, Wi-Fi, Zigbee, LoRa, cellular, and even satellite networks to stay connected. It’s critical to understand the common network architectures utilized by your radio access technologies of choice and the best security practices associated with them.

Since so many consumer IoT devices use Wi-Fi, let’s take a look at Wi-Fi security.

A common scenario to get your IoT device connected to your user’s home network is to program it to start in access point (AP) mode. This makes it discoverable by your user’s phone so that they can pass along their home Wi-Fi credentials via a mobile app.

For devices with “optional” IoT capabilities (such as smart litter boxes) which are technically fully operational without being connected to the internet, these devices sometimes never get configured to work with the internet. So that device stays in AP mode. For years. Waiting for a wardriver to come along and notice it and (hopefully not) take control of it.

Granting a hacker the ability to know how often Mr. Whiskers takes a visit to the ol’ sandbox probably isn’t of consequence to anyone. However, giving a hacker access to your device could also lead to your user’s entire home network being compromised, depending on how seriously your developers have taken network and device security.

Cloud Security

You are likely to use an enterprise cloud database to run your IoT devices. Major cloud computing platforms like AWS, Google Cloud, and Microsoft Azure offer secure protocols and automatic audits to facilitate the security of your IoT application. However, many of these security features require the nuanced experience of seasoned developers who are familiar with how and when to implement them correctly.

One cloud security problem we frequently encounter is poorly maintained and overly-lax access control lists (ACLs) for cloud resources. Your ACLs should be maintained in a systematic and sustainable way to make it easy to identify who has which permissions. Use access control groups instead of directly attaching policies whenever possible.

In addition to configuring user permissions, each IoT device should have limited permissions to only ready & publish data that pertains to itself.

IoT App Security

Most IoT devices use a mobile or web interface for users to interact with the device. Your app needs the same attention to authentication and security as your device when it comes to interacting with your cloud services.

Ensure your users use strong passwords and two-factor authentication for account logins. Oftentimes, simply educating users about proper account management can make a major difference in protecting user data. Require capital letters, special symbols, and a minimum length. If possible, use two-factor authentication to verify each new login.

Final Thoughts on IoT Security

Building an IoT architecture from scratch can be a daunting task, but trying to maintain and evolve that architecture over time can be even tricker.

A reliable IoT expert can identify potential vulnerabilities in your IoT architecture, help you take full advantage of security features provided by cloud services, and ensure that your IoT application has safety and security baked into its digital DNA from the beginning, not just hastily tacked on at the end.