Safety initiatives and best practices for IoT

Posted date
Miriam Puente García (INCIBE)
Iniciativas y prácticas de seguridad para el IoT

Considering the risks and threats that have already been described, it is evident that protection models or actions need to be developed in order to mitigate those vulnerabilities arisen from data processing as well as security practices for operating and deploying IoT technologies.

Safety measures and good practices aimed at mitigating threats, vulnerabilities and identified risks affecting IoT devices and environments are detailed below:

Best safety practices in design and implementation

  • Obligations of providers: ensuring that their devices are patchable, that they depend on industry standard protocols, that they do not use hard coded passwords and that they do not have previously known security vulnerabilities, as well as developing initiatives which protect user privacy from IoT devices.
  • Implementation and configuration developing a series of procedures that guarantee safe implementation and setup. forcing users to modify default security settings, for example the factory default password.
  • Connectivity and services: verifying unnecessary network settings, such as open service ports. Establishing compulsory encryption for all kind of communications.
  • Encryption: Selecting a tested cipher suite or verifying potential weaknesses (such as pseudorandom number generators) when in-house developed encryption is to be used.
  • Privacy issues: guaranteeing protection of private and confidential data having available data destruction mechanisms and encrypted data storage system in devices and endpoints where such data may be stored in a secure manner.
  • Authentication and authorisation: adopting safe mechanisms to interact and establish connections with other devices and services, such as cloud services.
  • Backup copies and disaster recovery: it is recommended to have security procedures set out to guarantee that backup copies are made and total data recovery, and also operating system recovery in the event of a disaster. Backup copies storage must be encrypted.
  • Verifications and tests: once the product has been created and the practices described above have been implemented, they must be tested conducting analysis and verifications processes that guarantee their effectiveness (hardware revision, network traffic analysis, verification of authentication. etc.)

Best safety practices in operation and maintenance

the measures exposed in the above paragraphs shall not be of any use when the user of the IoT devices ignores the following security practices:

  • Deactivating unnecessary functions deactivating those functions and services which are not used or not necessary for the operation specifically intended by the user.
  • Setup: keeping the relevant device updated and with the proper set up.
  • Password use: using robust passwords and modifying them regularly.
  • Device integration: if IoT devices must be integrated in another infrastructure, network and interactions of such network with the environment must be assessed, for the purposes of avoiding undesired interferences and exposure.
  • Deletion of information: monitoring unused IoT devices and delete data from those which are not to be used again.

Best specific practices for privacy protection

In 2014, the Joint Opinion on the Internet of Things prepared by the relevant working party of the European Data Protection Authorities was approved. It consists on a series of recommendations in the scope of security, privacy and data protection which should be applied to IoT devices. However, there is no other formal document regulating the security actions which need to be taken for these technologies. This Opinion offers some recommendations, such as the following:

  • Impact assessment: privacy assessments (EIP) must be made before launching any new application in IoT.
  • Privacy by design: each party involved in the IoT environment must apply privacy principles by design and default privacy settings.
  • Unprocessed information: All parties interested in the IoT environment must erase unprocessed data immediately after having extracted those data which do have to be processed.
  • User data processing: device manufacturers must inform users about the types of data obtained and subsequently processed by their devices, the types of data received by them and the manner in which those will be processed and combined. IoT devices should offer a "do not obtain data" option through which sensors may be quickly connected or disconnected.
  • Location tracking: in order to prevent location tracking, device manufacturers must restrict the use of digital footprints by disabling wireless interfaces when not in use. Optionally, they may use random identifiers (such as MAC random addresses to scan Wi-Fi networks) for the purposes of avoiding using an persistent identification to track location.
  • Export tools: it is necessary to provide the users with tools that allow them to easily export their data in a common structured format.
  • User differentiation: a setup option should exist to differentiate the different users that access the same device, so that any one of them is capable of obtaining information about the others.
  • Social media: default setting of social media based in IoT devices should request users to review, edit and take the appropriate decisions regarding any information created by such devices before such information is published in social media.
  • Obtain consent: permission to use a connected device and subsequent data processing must be given in a manner which is transparent to the user.

botón arriba