Enlist AWS IoT security tools to defend your network

Basic IoT vulnerabilities

Among other devices, IoT can contain dedicated sensors, smartphones and appliances, each of which can gather specific data points and exchange data across a network. Once data reaches its destination -- such as the AWS public cloud -- it can be stored and acted upon with software-based compute engines, including big data processing and machine learning. AWS can help an enterprise handle the scale of networking, storage and computing that supports an IoT deployment.

When these elements all work harmoniously -- devices, networks, storage, computing and software -- they can bring tremendous value to an enterprise. However, every device in an IoT network needs proper configuration. IT professionals must protect the burgeoning volume of data that flows from IoT devices against eavesdropping and malicious activity. They must establish a strong security framework for network, storage and computing infrastructure to ensure authorized access and secure storage. Along the same lines, the software that drives the IoT system must ward off a constant stream of new threats and address vulnerabilities.

IoT devices pose several possible security vulnerabilities. First, many devices lack encryption to protect the data exchanged through the device. For example, IoT devices should send data across a network via a secure protocol, such as Secure Sockets Layer or Transport Layer Security. If the IoT device can't use a secure protocol or isn't configured to use one, anyone can read and steal the unsecured data by snooping network traffic.

Second, weak or unused authentication and authorization features can fell an IoT environment. Ideally, each IoT device should only allow data exchange with network points that invoke strong, unique authentication and authorization. For example, the software that queries the IoT device should use appropriate logon credentials. Otherwise, anyone can potentially access the IoT device and its data stream.

Every IoT device is basically a tiny computer that uses software, which requires periodic updates and patches. As an example, a device might provide a built-in web server with a management application. But a network engineer can improperly use the app, which can allow a security vulnerability to slip through. Also, the management app could contain flaws that leave the device vulnerable, such as bugs or oversights that make it prone to malicious attacks, or they might retain sensitive details that could be visible to onlookers.

Beyond the potential for vulnerabilities within the software itself, there is currently no widely adopted means to determine whether a vulnerability is present in a device's software version. There is also no standard that evaluates software patches, including whether a patch is required, available or legitimate or how to scale that patch process for millions of devices. These oversights can potentially leave countless IoT devices vulnerable to attack.

Finally, many IoT devices retain data, which can contain confidential or sensitive content, yet the device might not have a secure deletion or wipe feature. Consequently, sensitive information could remain on the device once it's sold, transferred to another user or taken out of service.

AWS IoT security features

AWS offers a variety of tools and features that help secure IoT networks, including device gateways, message brokers, authentication and authorization, and an IoT device registry.

The device gateway channels communication between more than 1 billion IoT devices and AWS infrastructure. AWS' device gateway manages secure communication that uses Message Queuing Telemetry Transport (MQTT), WebSockets and HTTP 1.1 protocols. Although HTTP offers a stateless, on-demand communication protocol, both MQTT and WebSockets support long-term bidirectional connections that enable IoT devices to exchange data as needed with low latency. Administrators should pay particular attention to authentication and port requirements for each protocol to adhere to proper security and firewall configurations.

The message broker sends and receives the actual messages between IoT devices and AWS infrastructure with a highly scalable publish/subscribe approach in which senders and receivers have no direct knowledge of each other. Instead, receivers subscribe to certain categories of published messages, and senders publish certain classes of messages. Thus, a huge number of devices can exchange data without ever communicating directly with each other. The AWS message broker enables messaging between specific devices if desired, as well as broadcast-type messages that send to many devices. AWS also allows permissions for individual classes or categories so that administrators can narrow data exchanges to specific topics.

Boost AWS IoT security with strong authentication and authorization features to ensure that every IoT device connected to AWS has a proven identity. These features also ensure that data exchanged is always encrypted, using a suite such as Advanced Encryption Standard (AES) 128 or Secure Hash Algorithm (SHA) 256. AWS handles authentication via its native Signature Version 4 method, X.509 certificates and custom token-based authentication. Admins can apply policies to each certificate for granular authorization control over devices and applications.

AWS uses a registry that identifies each device, and it tracks various metadata that outlines device characteristics and capabilities of each device. For example, the registry metadata might describe a sensor that reports speed and the corresponding units for that data, such as feet per second or kilometers per hour.

Finally, AWS IoT Device Defender is a managed service that audits device security policies to ensure they stay within established practices. This service can help identify potential AWS IoT security risks when these practices are not observed. For example, AWS IoT Device Defender can ensure that devices have established identities, are properly authenticated and authorized, and use encryption to exchange data. Similarly, Device Defender can alert admins if a certificate is shared between IoT devices, if a device with an expired certificate attempts to connect to AWS or if there are unexpected or undesirable device behaviors.

IoT security practices

While public cloud providers offer tools and services that can dramatically improve IoT security, it's important to follow a series of best practices from the get-go. Consider these common methods to give your IoT security a boost:

• Change default passwords. IoT devices use credentials that include a name and password for authentication. Unfortunately, many users fail to change each device's default password, which can leave a potential fleet of IoT devices vulnerable to unwanted access and undesirable configuration changes. Take the time to change and strengthen passwords regularly to protect IoT devices.
• Use encryption. Not all IoT devices support encryption, which means they exchange data in plain text that can be seen and stolen by network sniffing tools. Deploy IoT devices that actually implement strong AES, SHA or another encryption method. Use the IoT device's encryption capabilities, and either upgrade or retire IoT devices that do not support encryption.
• Register devices. A device registry is basically an explicit list of authorized devices that tell the IoT infrastructure which devices are supposed to be deployed and present in the environment. This makes it easy to detect unregistered devices that might attempt to connect to the IoT network.
• Assign IT staff. There is often a surprising lack of administrative oversight for IoT devices, such as when no human administrators watch over an IoT network and its security activities. Assign or hire an admin to oversee the network, set and implement policies, and configure and receive IoT alerts.