The Internet of Things (IoT) is a rapidly growing area over the past several years. IoT can be found in many areas of life— from home users using devices such as smart thermostats, smart bulbs or Internet doorbells and cities implementing devices to control CCTVs, traffic lights, and street lamps, to medical devices such as smart pacemakers. Manufacturers are able to develop and produce devices relatively quickly, but do not always take into consideration the potential security issues surrounding these devices.
IoT-based cybersecurity policies can play a role in helping manufacturers. Policy can help manufacturers take up international standards in a consistent way to improve security across a range of consumer products and promote an advanced state of security in critical applications.
In order to demonstrate the effectiveness of commonly recommended controls, the Global Cyber Alliance (GCA) conducted research to test how well attacks could be prevented by following these standards and guidelines. Using a dedicated honeypot infrastructure, which utilized the GCA’s AIDE and ProxyPot projects), we were able to analyze the effects of Internet attacks on variably configured devices— such as those conforming, or not conforming, to measurable controls in standards and policy.
The result of the research strongly suggests that policymakers are correct in emphasizing secured access when turning standards into policy.
The following items are strongly suggested as recommendations for IoT devices:
- Implement SSH over Telnet. Telnet is less secure than SSH due to Telnet communication being unencrypted. Attackers can sniff traffic and obtain usernames and passwords, regardless of the strength of those passwords.
- Do not allow continuous use of default passwords. It is essential to require immediate password changes during initial device setup.
- Require the use of strong passwords along with SSH usage.
Our research was published last week, in the ‘IoT Policy and Attack Report,’ the opening issue of our new ‘GCA Internet Integrity Papers.’ The full report, which includes further details on the findings and analysis that was conducted, was featured at the chapter on IoT of the ‘Microsoft Digital Defense Report,’ also issued last week.
Also last week, during the Singapore International Cyber Security Week 2021, we announced the first large project of the AIDE platform in a global smart city, Singapore.
All those announcements add up to the experiment on home smart devices conducted last summer with Which? and NCC Group, when AIDE hit the global headlines for the first time.
After two years of intense work, GCA’s IoT proposals, AIDE and ProxyPot, are now starting to prove their value in different applications. We are eager to expand our work, so, if you or your organization are interested in working with GCA on similar projects, please do not hesitate to reach out to us.
The author, Shehzad Mirza, is the Director of Operations and the Project Owner of AIDE and ProxyPot at the Global Cyber Alliance. You can connect with Shehzad on LinkedIn.