Top 20 Security Requirements of IoT Devices

IoT is everywhere. More than 20 billion devices are already installed, and it is increasing day by day. OWASP release security requirements for securing IoT devices. Here, I am listing out the top 20 security requirements of IoT devices:

  1. Debugging interfaces such as UART, USB, etc., should be disabled or secure by a complex password. UART(Universal Asynchronous Receiver-Transmitter), USB, and other similar interfaces can be used for accessing and dumping firmware.
  2. Always implement secure wireless communication protocols.
  3. Never use vulnerable C functions such as gets(), sprintf(), strcat(), vsprintf(), strcpy etc. while implementing firmware.
  4. Ensure implementation of Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) on the IoT device operating system to implement memory protection mechanism.
  5. Joint Test Action Group (JTAG) or Serial Wire Debug (SWD) should be disabled. Both can be used for chip debugging. If enabled, configured securely.
  6. Code signing should be used to ensure the integrity of IoT device software and firmware updates.
  7. Internal communication between different chips should be encrypted.
  8. Microcontrollers should be protected against side-channel attacks.
  9. Temper detection and temper resistant feature should be implemented.
  10. The firmware update process should be secure against a time of check and time of use attack. Also
  11. Ensure sensitive data not exposed on abrupt failure.
  12. Sensitive data, private keys, and certificates are secured using a secure element, Trusted Platform Module (TPM), Trusted Execution Environment (TEE), or cryptographic techniques.
  13. Ensure no secret leaks in code by reviewing it thoroughly. If possible, a code review should be performed by external auditors.
  14. Check for application and firmware components against OS command injection attack.
  15. IoT Device checks integrity for boot image signature before load.
  16. Secure compiler flags such as -fPIE, -WI, noexecstack, etc., should be configured for firmware builds.
  17. Implement mechanism of sensitive data wipeout on detection of tampering.
  18. Implement kernel containers for different apps to implement firmware apps for isolation.
  19. Downgrade to the old version option should not be enabled. It helps in securing IoT devices against vulnerabilities found in old versions.
  20. A trusted execution environment should be implemented.  It helps in achieving the objective of secure storage, processing, and protection of data.

Conclusion

IoT is a new buzzword, and researchers are trying hard to secure it. A lot of documentation available to secure IoT devices. The responsibility lies on manufacturers in developing secure IoT devices and following a defense-in-depth mechanism to secure security attributes.

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

You may also like...

Leave a Reply

Your email address will not be published.