Product Security Glossary

IoT Security Protocols

What are IoT security protocols?

IoT security protocols are a set of standards and recommendations designed to ensure secure communications for network-connected devices. 

How do IoT devices communicate?

IoT devices can communicate in two different ways.  They can do long-distance communications over an Internet Protocol-based network, or they can do short-range communication via non-IP-based protocols such as Bluetooth or RFID.  Devices can communicate with a centralized gateway, or they can communicate directly with each other. 

Why do we need IoT security protocols?

With either long-distance or local communications, we need IoT security protocols to ensure that devices can communicate securely.  Without proper security, attackers could intercept sensitive data that are being transmitted.  Attackers could also take control of a device, which could result in damage or destruction to either equipment or to people.  Also, many devices communicate with a centralized gateway, which could be vulnerable to attack.  Many centralized gateways run as a service in the cloud, which means that device users’ sensitive data are stored in the cloud.  Cloud providers must follow proper IoT security protocols in order to prevent data theft or loss. 

IoT devices can communicate either wirelessly or via a wired network.  Either way, communications must be properly safeguarded.  If you’re running a network with multiple IoT devices, allowing one device to get compromised could result in having the entire network compromised. 

What makes it hard to implement IoT security protocols?

One challenge we face with implementing proper IoT security protocols is that there’s no standardization in the device manufacturing process.  This makes it harder to create IoT security protocols that can be universally applied to all devices from all manufacturers. Most IoT devices are resource-constrained, which makes it harder to implement security protocols that are more resource-intensive.  Also, many IoT devices are out in the open, where it’s easy for people to access them. 

What IoT security protocols can we implement?

There are many IoT security protocols that we can implement.  Here are just a few of them: 

  • Secure communications with strong cryptographic algorithms. This will help prevent attackers from collecting sensitive data and from taking control of the devices.
  • Enforce UpToDate communication protocols. For example, refuse connections of TLS 1.1 or 1.0, since they are not secure.  

  • Disable the UPnP service by default. If necessary, allow the user to enable it by explicit action, for example through the web management interface. See for example the Vdoo research on vulnerability of an implementations for UPnP client. This serves as warning to the danger in UPnP, and the need to limit the use to the bear minimum.  

  • Use a firewall in the device. Limit communications to only the expected ports, protocols, sources, and destinations. 

  • Use a secure operating system.  The embedded operating systems on devices must be properly locked-down against attacks.  This means that the boot process must be protected so that bad actors cannot change it.  It also means using proper credential management and ensuring that users do not have a higher level of privileges than necessary.  It also means that devices should not have any programs installed that are not necessary, and that updates are applied in a timely manner.  Mandatory Access Control, such as AppArmor, SELinux or GRSec, can help prevent attackers from taking control of a system. 

  • Protect data that are stored in the cloud.  Cloud service operators must have proper IoT security protocols that will protect and anonymize any sensitive data that are transmitted to them by IoT devices. 

  • Implement proper physical security.  Many devices must be out in the open where they can be accessed by the public, and there’s not much we can do about that.  But device manufacturers can design the device with input/output port that can be disabled, and with tamper-proof enclosures. 

As you can see, it is vitally important to implement IoT security protocols.  This can help ensure the security and safety of our devices and their users.