Top 20 Security Requirements of IoT Devices

IoT is everywhere. More than 20 billion devices are already installed, and it is increasing day by day. OWASP releases security requirements for securing IoT devices. Here, I am listing out the top 20 security requirements of IoT devices:

1. Debugging interfaces such as UART, USB, etc., should be disabled or secure by a complex password. UART(Universal Asynchronous Receiver-Transmitter), USB, and other similar interfaces can be used for accessing and dumping firmware.
2. Always implement secure wireless communication protocols.
3. Never use vulnerable C functions such as gets(), sprintf(), strcat(), vsprintf(), strcpy etc. while implementing firmware.
4. Ensure implementation of Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) on the IoT device operating system to implement a memory protection mechanism.
5. Joint Test Action Group (JTAG) or Serial Wire Debug (SWD) should be disabled. Both can be used for chip debugging. If enabled, configured securely.
6. Code signing should be used to ensure the integrity of IoT device software and firmware updates.
7. Internal communication between different chips should be encrypted.
8. Microcontrollers should be protected against side-channel attacks.
9. Temper detection and the temper-resistant feature should be implemented.
10. The firmware update process should be secure against a time of check and time of use attack. Also
11. Ensure sensitive data is not exposed to abrupt failure.
12. Sensitive data, private keys, and certificates are secured using a secure element, Trusted Platform Module (TPM), Trusted Execution Environment (TEE), or cryptographic techniques.
13. Ensure no secret leaks in code by reviewing it thoroughly. If possible, a code review should be performed by external auditors.
14. Check for application and firmware components against OS command injection attacks.
15. IoT Device checks integrity for boot image signature before load.
16. Secure compiler flags such as -fPIE, -WI, noexecstack, etc., should be configured for firmware builds.
17. Implement a mechanism of sensitive data wipeout on detection of tampering.
18. Implement kernel containers for different apps to implement firmware apps for isolation.
19. The downgrade to the old version option should not be enabled. It helps in securing IoT devices against vulnerabilities found in old versions.
20. A trusted execution environment should be implemented.  It helps in achieving the objective of secure storage, processing, and protection of data.

Conclusion

IoT is a new buzzword, and researchers are trying hard to secure it. A lot of documentation is available to secure IoT devices. The responsibility lies on manufacturers in developing secure IoT devices and following a defense-in-depth mechanism to secure security attributes.