A few weeks ago, I had the opportunity to speak at SecTor on a topic that I’ve been interested in bringing attention to for a while, the shifting IoT market. You can view the entire presentation online; however, I was asked if the checklist that I present was available via any other means.
The following is the IoT Purchasing Checklist that I provided as part of my presentation and my reasoning for the inclusion of various items.
Before You Buy
- Is the manufacturer reliable? Will they remain in business for the lifetime of the product?
- If you need a product to be deployed for the next 5-10 years, you aren’t helping yourself if you buy into a company that will be gone in 12 months.
- Is the product the first of its kind or is it competitive with other product offerings?
- One of the major tenets of my theory is that companies will sacrifice in other areas in order to be first to market. One of the places where sacrifices are more typically made is product security.
- How frequently does the vendor publish updates?
- If a product has been available for several years and no updates have been published, you may want to question if the vendor actually maintains their products.
- Does the firmware auto-update or require manual intervention?
- While you may want the control of manual updates for certain mission-critical devices, other devices may be deployed in such a way that manual updates are impossible. It is important to know how much control you’ll have over the software version you are running.
- Are there reported vulnerabilities in the product?
- If the vendor maintains documentation around vulnerabilities, that should not be considered a negative. No product is completely secure; it’s important to see that a vendor acknowledges and reacts to reported issues. The real concern is vendors that are unresponsive or hide critical issues.
- If you find vulnerabilities published by third parties that the vendor has never acknowledged or patched, this is a great indicator that they may not fit into an enterprise environment.
- Does the vendor have a published security page?
- This page should include past security issues, updates and contact information. If they don’t have any form of security point of contact on their website, this should be a red flag.
Within 30 Days of Purchase
- If the device contains an access point, you should check to see if the AP fails open.
- Many products over the years have failed open, creating an open, insecure wireless access point when they are deauthenticated from the wireless network.
- A simple test for this would be to associate the device with your wireless network and then unplug your wireless network for ~10 minutes. If you see your device come up with an AP on your mobile device, it is failing open.
- How robust is any related cloud interface?
- Does the interface allow for Single Sign-On? Does it allow multifactor authentication? It is important that any web interface that you utilize provide security and peace of mind.
- What data is transmitted to/from the cloud?
- Are you aware of what data is leaving your network via your new IoT device? What traffic is it allowing into your network?
- How easy/difficult is it to actually update the firmware?
- Before you buy, you can typically confirm if the firmware updates are manual or automatic. You cannot, however, necessarily confirm the steps involved in the installation process. I tend to favour applications that allow for single push button upgrades rather than long, tedious manual update processes.
- Are interfaces adequately secured?
- Better yet, does it require authentication for critical operations? Is there an open API on your local network that does not require credentials? Are credentials sent in plain text?
- Complete a port scan.
- It’s always good to understand exactly what services are open and listening on your network.
- Write a review.
- One of my arguments it that most reviews tend to be useless. They are either paid reviewers or they lack the ability to provide informed, technical opinions. Write a review, in plain English, describing the product and the pros and cons. Discuss the security and help inform future purchasers.
Deep Dive Checklist
- Audit the device firmware.
- There are classes available to help with this if you aren’t sure where to start. It can provide a great mechanism for finding and identifying vulnerabilities.
- Audit the device’s Web Interface.
- As with the firmware, knowing exactly how the device works can be an excellent method of ensuring you are secure while using the product.
- Reach out to the vendor security team.
- You may not have a security issue but test their responsiveness and openness to collaboration. It is important to know how their security team reacts to issues.
- Find other users of the device.
- You may find a subreddit forum, or mailing list where users get together to discuss the product. These social forums often inadvertently reveal vulnerabilities that the users may not recognize as vulnerabilities. They present a real opportunity to learn and share.
- Take a training course.
- If you really want to get serious about performing deep dives, take a course to help you better prepare for your device auditing. Having a toolkit of common IoT device mistakes can help you more easily identify mistakes with your own device.
Have you got your own favourite checklist items when purchasing a new device? Let me know!