Cyber security is no longer a nice-to-have feature for large companies. It is essential, especially for embedded and IoT products. ETSI has just released a new regulation for the secure design of IoT and related products, and CEPD could not agree more with the timeliness of this release.
With the prevalence and popularity of IoT product hitting the market, it has never been a better time to become educated on some of the common IoT security issues. This article is one in a series that will focus on IoT and embedded security. Common problems will be discussed, and possible solution paths will be provided. In the end, it is our hope that we are all a bit more security aware when using and designing IoT devices.
Default Passwords
A majority of IoT devices use a universal default password, e.g. “admin”, “1234”, “user”, etc. To make matters worse, many users will never update their password from the default. This gives full access to anyone who is familiar with this password. The potential “hacker” population is anyone who has also bought the product or read about the product. Needless to say, this is a pretty large group of potential hackers that now know your device’s password.
Possible Solutions
It is tempting as a developer to just hardcode a password into the product’s codebase. However, the risks greatly outweigh the benefits. Fortunately, there are design choices that can be made that better secure the IoT device.
Random Number Generation
Upon initial power up, the IoT device could generate a random number as its password. This could then be shared through a secure means with the end user. Because this password is random, there is a low probability that another device shares the same password.
Random number generation is available through both hardware and software means. Devices, such as MIKROE’s 4090, which is available right now on Digi Key, will generate a true random number sequence. Furthermore, many modern processors and microcontrollers offer either true or pseudo random number generator peripherals. Last of all, C and C++ offer pseudo random capabilities through use of pre-compiled libraries.
The point is, there are a lot of ways these days to generate a random number. Adding this feature to your IoT device avoids the universal default password dilemma, and demonstrates that your product is truly a step above the rest.
Require a Password Change
If random numbers are a bit too involved, make the user change the password as a first step. Before the IoT device does what it was made for, have a prompt for the user to enter in their own, custom password. This is a small burden to put on the user, and the 30 – 60 seconds taken to complete this step will pay dividends in protecting the user’s security and your product’s reputation.
Limit the Number of Incorrect Tries
Rules, such as allowing for only five incorrect passwords within a 3-minute timeframe can make your IoT product more resilient against automated attacks. Note that most of the “hacking” out there is actually carried out by machines, who quickly try to guess a password. If your IoT delays password entry, then it is not going to be the lowest hanging fruit and hacking efforts will be frustrated, probably moving on from your device. Now, this is not sufficient by itself, but when coupled with one of the previous recommendations, it can be powerful.
These issues and recommendations come from work done by ETSI. Their publication ETSI EN 303 645 v2.1.1 (2020 – 06) can be referenced for all of these points.
More articles on IoT security are coming, so please stay tuned!
-NM