IoT security issues are a major topic amid the emergence of more and more connected devices. If we ignore the importance of IoT security, it will cause huge damage.
IoT security has become a major topic amid the emergence of more and more connected devices. Vulnerabilities that are often exploited by hackers include the use of default passwords and weak encryption. IoT authentication and encryption, therefore, stand as two of the most important IoT security technologies to watch for.
Authentication grants access to those with the permission to do so through different methods, including the “what you know” factor – that is, the use of usernames and passwords. A device usually comes with a default password, and the
DDoS attacks that wreaked havoc last year underscores the need to change it. “By far the vulnerability being most exploited for IoT devices is the negligence of changing default username and passwords. The Mirai botnet campaign targeted against IP cameras that hit the world last year was using that vulnerability and was pretty successful,” said Mathieu Chevalier, Security Architect at
Genetec.
While changing a device’s default password is a must, changing it repeatedly may not be so necessary. “For changing password regularly, this is more and more seen as a bad security practice, and the FTC, NIST, Microsoft , the UK intelligence agency and multiple universities are advising against it,” Chevalier said. “The reason behind this is that human are notoriously bad at remembering truly random passwords and so, according to multiple studies, if you take the human aspect into account and ask people to regularly change their password they will only do minor variation of the same password. It’s better to choose a long, unique, random at the beginning and only change it if needed.”
“Changing passwords often is actually not very important these days. Studies have shown that changing passwords frequently results in individuals choosing less secure passwords,” said Adrian Sanabria, Director of Research at
Savage Security. “Also, if a password hasn’t been compromised, changing it offers no real tangible benefit, especially when multi-factor authentication (MFA) is in use. As for complexity, length is always more important than complexity, which is why passphrases should be used in place of passwords, along with MFA if available.”
“Rather than asking the user to change passwords regularly, which is unrealistic, there should be a mechanism to prevent brute-force attacks,” said Mars Kao, Senior Engineer at the Taiwan-based
Institute for Information Industry. “For example, upon failure to sign in three times, the system will lock the person for three minutes, and then make the lock-up time five minutes and one hour upon each subsequent failure.”
Encryption, meanwhile, will also play an important role, protecting data that are at rest or in transit. “The level of encryption depends on how sensitive your data is and is usually divided into commercial grade and military grade. For commercial grade, encryption algorithms that haven’t been cracked are good enough. For military grade, AES-256 is ideal,” Kao said.
Sanabria, meanwhile, said encryption should be used with caution. “Encryption is important for protecting customer data. We see cases where the customer prefers to be sole owner of the private keys required to decrypt data, but there can be serious tradeoffs in convenience as a result. It all depends on the management architecture for the IoT devices. We increasingly see more and more cases where lost encryption keys cause bigger issues than the lack of encryption could have caused,” he said.