IoT security

IoT security has a poor cyber security reputation. Frequently manufacturers and IoT service providers often do not implement appropriate safeguards. Businesses and consumers typically do not change the default passwords nor update the pre-installed software. IoT security is too easy to ignore because by default its not given enough priority.

The following guidelines should be part of best practice :-

Default passwords

Many IoT devices are being sold with universal default usernames and passwords. The customer is expected to change the password before use. Until all IoT device passwords shall be unique and not resettable to any universal factory default value users should change passwords as a matter of cyber security policy

Software updates

Software resident in internet-connected devices should be securely updateable. Updates should be actioned in a timely manner.

Store credentials and sensitive data securely

Any credentials should be securely stored within IoT services and devices. Hard-coded credentials are not acceptable in device software.

Secure communications

Use of open, peer-reviewed internet security standards is highly recommended.

Limit exposed attack surfaces

Security-sensitive data should be encrypted when communicating, including any remote management and control. All keys should be securely managed.

Software integrity

IoT device software should be verified using secure boot mechanisms. When an unauthorized change is detected, the device should alert operators to the issue. The issue notification should not connect to wider networks than necessary to deliver the alert.

Data ownership and deletion

Who owns the collected data? IoT devices may change ownership and may be recycled or disposed of. Mechanisms should be provided that allow the users if they covered by GDPR and businesses to remain in control and remove data from services, devices and applications.