Chapter 6:

IoT Security Solutions

May 11, 2022
10 min

IoT Security Solutions

In the first half of 2021, over 1.51 billion IoT breaches occurred, according to Kaspersky. Most used simple exploits, like default credentials, to gain access. In today’s threat landscape, clients are beginning to demand greater security for their IoT devices, which means understanding the security solutions on the market is quickly becoming a necessity for developers in the IoT industry.

In this article, we’ll give you a map to navigate the different types of IoT security solutions. We’ll show how different security solutions work, inform you of how they keep IoT devices safe, and offer recommendations for how to select the right IoT security solution for your application or device.

Executive summary

Let’s start with a quick summary of the major categories of IoT security software available.

IoT Security Solutions
Security solution Role in your security infrastructure
IoT Firewall Filters network traffic to control how IoT devices can be accessed
Monitoring Gain visibility to uncover any malicious activity
Encryption Prevent prying eyes from pilfering your data in transit
Offensive tools Scan the network and find security issues before attackers

With these simplified definitions in mind, let’s take a closer look at each kind of security solution, and see some real examples of how they protect your IoT devices.

What are the different types of IoT security solutions?

Wading the saturated market of commercial and open source security solutions can feel like navigating the ocean with a canoe. Let’s clear up those murky waters by organizing solutions into four categories:

  • Firewalls
  • Monitoring 
  • Encryption
  • Offensive tools

Below, we’ll explain exactly what each of these four IoT security solution categories is. 

Firewalls

In the IoT world, you may wish to limit access to a device so only local IPs can reach it to reduce your system’s attack surface. Or you may want to ban IPs that try to access certain ports. Firewalls allow you to protect devices by restricting incoming and outgoing traffic.

Firewalls filter traffic according to rules you define. (Source)

Why is this so important? Suppose you have an Industrial IoT (IIoT) device, like a smart HVAC (heating, ventilation, and air conditioning) system. Workers change the temperature from physical panels which connect to the central HVAC controller via the local network. Since there’s no reason for the central controller to receive unsolicited connections from the Internet, you can prohibit external traffic with a firewall. That way, only local clients can even attempt to connect to the controller.

To demonstrate how a firewall works, we can set up a real firewall to protect an IoT device. Linux operating systems — like Android  — dominate the embedded system and IoT. And, while nftables is slowly gaining popularity, iptables is the predominant Linux firewall in the IoT space; so we’ll use iptables in our example. 

The IoT device in our example is a Huawei AR502H Edge Computing IoT Gateway, but the principles easily translate to other IoT systems and devices.


Huawei GTWY> # 192.168.0.0/16 is the IP range of the local network so we allow that
Huawei GTWY> iptables -A INPUT -p tcp --dport 22 -s 192.168.0.0/16 -j ACCEPT 
Huawei GTWY> # 127.0.0.0/8 is the IP range of the device itself, allow that too
Huawei GTWY> iptables -A INPUT -p tcp --dport 22 -s 127.0.0.0/8 -j ACCEPT 
Huawei GTWY> # Drop all other traffic
Huawei GTWY> iptables -A INPUT -p tcp --dport 22 -j DROP

Now that we’ve set up the rules in iptables, we’ll try to connect using an external IP and see if the firewall does its job.


Huawei GTWY> # Set the IP address of the Huawei IoT Gateway
Huawei GTWY> export HUAWEI_IOT_GATEWAY=190.14.134.77
Huawei GTWY> # try to remotely access the IoT device using SSH
Huawei GTWY> ssh "[email protected]$HUAWEI_IOT_GATEWAY"
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
ssh: connect to host 190.14.134.77 port 22: Operation timed out
Huawei GTWY> # The time out error is consistent with the firewall not responding

We can see that the firewall worked as intended because the connection times out and does not respond. 

This is just one example of the power of IoT firewalls. For instance, we can also use a firewall to log suspicious connections and forward those logs to a monitoring platform for storage and analysis. To learn more, check out our article on IoT Firewalls to learn more: article - iot firewall.

Monitoring

How would you know if an attack was occurring against your IoT infrastructure right now? IoT monitoring solutions help solve this problem. 

Monitoring solutions offer real-time alerts, analysis, and intelligence on various activities across devices, including threats.

For example, in 2021 AmeriGas disclosed a breach that only lasted 8 seconds before the intrusion detection system caught the abnormal activity. Incident response protocols automatically reset the relevant account credentials. According to a report on the incident from Forbes:

Security teams need to be able to recognize the initial attack long before any information is stolen and encrypted. For this reason, every organization should be using some type of always-on inline monitoring system that can look for unusual behavior and respond in near real-time, rather than relying on daily reports.

Security is just one instance of the immense value of monitoring for companies with IoT products. Modern organizations inform their data-driven policies with top-notch business intelligence. Thorough monitoring gives analysts a base of quality data to build reports and derive insights.

Dashboard for OSSIM, a free and open-source security monitoring solution. (Source)

In addition to excellent community-led projects like OSSIM (pictured above), enterprise users may wish to consider a more comprehensive commercial IoT security solution like Macrometa, which integrates real-time threat detection for IoT APIs. 

IoT monitoring is a broad topic, and doing it right means considering logging, data analysis tools, and other themes that transcend security. If you want the full scoop on the ins and outs of IoT monitoring, check out our article on the topic: article - iot monitoring.

Encryption

In the context of IoT security, encryption can be used in many beneficial ways. One of the most common applications is encrypting HTTP traffic with TLS (the successor to the more well-known SSL, which is deprecated) for HTTPS connections.

An introductory explanation of TLS is beyond the scope of this article. Still, in a nutshell, it’s a cryptographic protocol that ensures the authenticity, confidentiality, and integrity of traffic between endpoints. The benefits of TLS encryption include:

  • Outsiders can’t snoop on your traffic 
  • Verification the server you're communicating with legitimately represents the domain
  • Data hasn’t been tampered with in transit

Best of all, setting up TLS is easy and free. 

Let’s walk through an example using Ubuntu and Nginx. In this example, we’ll use the CertBot command-line tool to install a Let’s Encrypt certificate. 

Simply run the following commands:


$ sudo snap install --classic certbot
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot
$ sudo certbot --nginx
$ sudo certbot renew --dry-run # test the new cert
$ # the cert should be installed

You can find full instructions for installing TLS certificates using other operating systems and web servers here.

Offensive tools

Offensive tools are the IoT security solutions that penetration testers and other security professionals use to actively test the security of a device or network. 

While there are security professionals that dedicate their careers to using these tools, you don’t need to be an offensive security engineer to take advantage of them.

The process of an offensive security audit. (Source)

Nmap is a classic example of a powerful offensive security tool that even non-experts can use. For example, with nmap, we can create a network map to detect suspicious or poorly secured devices, identify open ports, and see what software and version they’re running.

Below is an example of how nmap works in practice. Here, the nmap 192.168.0.1 command scans the same Huawei IoT Gateway we used for our firewall example:


$ nmap 192.168.0.1 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-07 20:28 CST
Nmap scan report for 192.168.0.1
Host is up (0.0065s latency).
Not shown: 994 filtered tcp ports (no-response)
PORT     STATE  SERVICE
80/tcp   open   http
139/tcp  closed netbios-ssn
445/tcp  closed microsoft-ds
1900/tcp closed upnp
5000/tcp open   upnp
9100/tcp closed jetdirect

Offensive security is too broad of a topic to thoroughly cover in this article. If you’re interested in learning more, consider consulting a beginners’ resource like Cybrary.

Global Edge Computing Platform
Platform
Azure IoT Edge
AWS IoT Greengrass
Macro
meta
Real-Time Event Processing
✔️
✔️
✔️
Internet Scale Throughput
✔️
✔️
✔️
Stateful Edge Device Processing
✔️
✔️
✔️
Cross-Region Replication
✔️
✔️
Geo-Fencing and Data-Pinning
✔️
Start a free trial
Platform
Real-Time Event Processing
Internet Scale Throughput
Stateful Edge Device Processing
Cross-Region Replication
Geo-Fencing and Data-Pinning
Azure IoT Edge
✔️
✔️
AWS IoT Greengrass
✔️
✔️
✔️
Macrometa
✔️
✔️
✔️
✔️
✔️

IoT security best practices

Even for experienced security engineers, addressing the unique challenges of IoT security can be difficult. Limited resources, antiquated hardware, and unusual restrictions make selecting the right IoT security solution challenging. 

In the following sections, we’ll provide tips for addressing IoT security challenges and keeping IoT devices as safe. Keep the best practices outlined below in mind when shopping for IoT security solutions to ensure that you select a product that checks all the right boxes.

IoT security best practice #1: Keep software up-to-date

Even if your IoT software is the latest and greatest today, it will eventually become out-of-date. Many older IoT products rely on customers to periodically check software versions and update them manually (or just upgrade to a newer device). A more modern approach is for the devices to reach out to a server to check for updates periodically.

Clients who want more control over versioning should be able to opt out, but by default, devices should be able to auto-update via an Over-The-Air (OTA) update routine.

IoT security best practice #2: Implement authentication the right way

Strong authentication practices are the cornerstone of security. But how can you develop your IoT apps to implement authentication securely? The most important lesson is keep it simple. Don’t reinvent the wheel unless you have to. Instead of designing an authentication mechanism from scratch, use established platforms and frameworks whenever possible. Amazon Cognito, Firebase Auth, and AWS IoT Fleet Provisioning (for the devices themselves) are all preferable to writing custom authentication logic, which should be a last resort.

When looking for the right auth solution, or if necessary, implementing it yourself, keep these principles in mind:

  • Prefer multi-factor authentication wherever possible
  • Disallow access to devices via Telnet (if remote shells are necessary, use SSH instead)
  • Never ship devices with “default” credentials. The user can select initial credentials when they set up the device if needed
  • Hash and salt all passwords

Conclusion

Attackers frequently exploit insecure IoT infrastructure to gain a foothold into a target network. From there,  they can escalate and penetrate further into the organization. 

Given the damage ransomware, data theft, and other attacks can cause, you don’t want to be responsible for a breach. By diligently selecting the right IoT security solutions using the information and best practices we’ve discussed here, you can reduce the risks facing your IoT infrastructure.

Global Edge Computing Platform
Start a free trial
Stateful geo-replicated stream processing keeps globally distributed data consistent
One integrated platform for streams, key values, docs, graphs, and search simplifies development
Declarative configuration using JavaScript and SQL avoids the need to learn a new syntax
Start a free trial

Subscribe to our Linkedin Newsletter to recieve more educational content
Subscribe now