Navigating the IoT security minefield: API security
The rapid growth of the internet of things has seen a subsequent rise in the adoption of APIs. In IoT, most devices communicate to the cloud via RESTful API calls as they are ideal for physical device communication. Standard user interfaces, on the other hand, are meant for user consumption.
While APIs are better suited for today’s business model, they present their own security challenges to address. One of those challenges is access authorization.
Since session cookies are impractical for IoT deployments, developers will often use different authorization methods, such as issuing a JSON Web Token after successful device authentication. Unlike users, who log onto a web portal, execute a few tasks and log out, IoT devices require constant communication to their cloud infrastructure. In order to simplify the implementation, some developers will opt for so-called “long-term tokens” that can be valid for days or even weeks, instead of adopting the best practice of rotating the access token every few minutes.
Unfortunately, simplifying implementations also has its risks as an attacker has the opportunity to hijack and reuse a token for days after it’s issued. The situation can escalate further if other security practices, such as TLS encryption, are not properly implemented.
Moreover, even when transport encryption and authorization techniques are correctly implemented, there are still potential attack vectors that can result from a lack of security protocols in the application design. Attacks, such as SQL injection, can be executed against a vulnerable API endpoint much like they would be against a regular web portal. And there simply aren’t many good options to mitigate these attacks as most web application firewalls (WAFs) still do not parse or examine JSON inputs.
The challenges don’t stop there — newer, non-HTTP protocols, such as Websocket and CoAP, present even more of a problem.
The solution? Design, build and connect to your APIs from the start with security in mind. There are five main points to consider when doing so:
- Strong authentication, ideally using asymmetric encryption and a private key stored securely on the device;
- Relatively short-lived tokens. Rotate them at least once every 30 minutes;
- TLS transport encryption;
- Standard authentication/authorization needs enforced for every endpoint. Avoid publishing unprotected endpoints; and
- Sanitize user input, even if it’s coming from a device. A malicious user could manually manipulate requests to exploit faulty business logic.
Keeping the above in mind is a critical step. In addition, implementing an API-aware WAF can also go a long way in mitigating security issues and providing visibility into flows.
APIs will continue to grow in lockstep with the rapid growth of IoT, so you need to start thinking about adopting a robust security strategy now to reduce risk and protect your customers.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.