IoT Cybersecurity
5 Methods To Secure Your Application
In October 2016, the Internet of Things was at the center of one of the largest distributed denial of service (DDoS) attacks. A botnet called Mirai hacked IoT devices and then used those devices to send an unprecedented number of traffic requests to Dyn, a large DNS provider. This increase in traffic caused Dyn to go offline, affecting Amazon, Twitter, and PayPal.
The Dyn attack shows the importance of IoT cybersecurity. To protect your own application from IoT breaches, there are five things you can do:
1. Don't use default credentials for IoT devices.
This simple rule can prevent most IoT cyberattacks. Why? Many Linux-based IoT devices (like smart thermostats and security cameras) ship with default SSH usernames and passwords. (We'll discuss SSH later.) If your customer uses one of these devices, it's an easy target. Mirai attacked only these devices. For a large-scale botnet attack, hackers can easily write a script that locates these devices and checks the default password, thanks to tools like Shodan and Nmap.
To avoid this, consider managing your applications without default passwords. Even hashing, which involves asking users to enter their particular product serial numbers into a browser to generate a password, is more secure than giving out generic usernames and passwords.
2. If possible, avoid using SSH (Secure Socket Shell).
Many IoT apps run Linux, which enables SSH by default. This indicates that the device is "listening" on port 22 for SSH connections. If your application does not require SSH, be certain it’s disabled—because it’s a major IoT cybersecurity vulnerability.
3. Limit your application’s exposure to IP-based networks, if possible.
If someone hacks your IoT device, they'll likely use a scripted online attack. Physically hacking a device in the same room is rare. If you can, reduce the amount of IP networks your application is exposed to.
4. Develop a VPN tunnel into your backend network.
Set up a virtual private network (VPN) tunnel on your devices, so you can communicate securely. Negotiate with your carrier to add your devices to their private network, with a VPN tunnel to your backend. The benefit: There’s no way for any traffic to or from your devices to access the internet.
5. Whitelist IPs and domains.
As a firewall, only allow traffic from a select list of IP addresses or domain names. This prevents malicious connections. Although it's possible for the hacker to bypass the IP and domain blocks you've put in place if your device is compromised, doing so is still a wise precaution.
Finally, Concept Reply strongly advises large businesses creating connected applications to look into reputable security consulting companies. These companies can assess your cybersecurity procedures and help to ensure your application is secure.
Concept Reply is a #cybersecurityawarenessmonth 2022 Champion. We're doing our part and committed to #BeCyberSmart – are you? Join the growing global effort to promote online safety education! All month long, we’ll be providing information on how to be safer and more secure online to show you just how easy it is to #BeCyberSmart.