Earlier this month the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released its Draft NISTIR 8267, Security Review of Consumer Home Internet of Things (IoT) Products, for public comment. NIST will accept public comments on the report through November 1, 2019.
The draft report documents security features in seven types of smart-home devices: light bulbs, security lights, security cameras, doorbells, plugs, thermostats, and televisions. For each device category, NIST reviewed a minimum of three devices currently available on the market from different manufacturers. Without naming any manufacturers, NIST provides detailed observations of the security features utilized by the devices and provides recommendations on how current practices can be improved.
The draft report recommends that manufacturers:
- Require password change on first use. NIST identifies the continued use of default passwords as a serious cybersecurity risk. NIST advises manufacturers to require users to set new passwords when configuring their devices for the first time.
- Require stronger passwords. NIST finds that the password requirements for many companion mobile applications and web applications that control IoT devices were inconsistent with best practices as detailed in previous agency guidance. NIST recommends requiring stronger passwords on these companion platforms consistent with best practices.
- Implement certificate pinning. More than half of the devices were vulnerable to man-in-the-middle attacks or certificate impersonation techniques used by bad actors to intercept data flowing from the device. Certificate pinning associates a host with its expected certificate or public key, which mitigates the effectiveness of these attacks. NIST recommends manufacturers implement certificate pinning on smart home devices.
- Use up-to-date encryption. Some devices used outdated encryption techniques, or no encryption at all, to protect data being communicated to and from devices. NIST recommends using TLS encryption suites to protect data, consistent with previous agency guidance on encryption.
- Allow logging of security events. Many devices had no mechanism for users to log security events. NIST recommends manufacturers allow users of IoT devices to log security events to promote the overall security of these devices.
- Prevent access to unused access ports. Some devices had no way to disable unneeded network interfaces. Attackers can use ports to access and manipulate a device, making encryption and other security measures ineffective. NIST advises manufacturers to “close or otherwise prevent access to all unused physical and logical access ports, including physical accesses such as USB.
- Remove device reset buttons on security-related outdoor devices. Device reset buttons can be useful for IoT devices in the home, for example to allow a guest to access a device. However, physical reset buttons can also allow attackers to gain access to a device and should not be implemented on security-related IoT devices meant to be placed outside the home. NIST recommends removing these reset buttons from devices intended to be placed outside the home.
- Improve update process. IoT devices cannot be secured unless they are updated, and updates are not effective unless they are timely. NIST calls on manufacturers to continue to develop and implement processes to make software and firmware updates for devices available and to notify users in a timely manner. Manufacturers should allow for automatic download options as well as provide user controls to schedule or stop automatic updates, including the ability to roll back an update if needed.
- Secure UPnP communications. NIST finds that many devices use UPnP, a plug-and-play communications protocol, which does not use authentication by default. NIST recommends manufactures add device protections to secure UPnP communications.
- Make security features user-friendly for nontechnical users. While acknowledging the inherent challenge, NIST considers nontechnical users’ ability to use security features as a cybersecurity objective in its own right. The draft report calls on manufacturers to keep devices’ cybersecurity features user-friendly and nontechnical where possible.
The draft report demonstrates NIST’s continued interest in the rapidly evolving cybersecurity implications of IoT devices in general, and smart homes in particular. It follows other recent research by NIST on the baseline security features for IoT devices and considerations for managing IoT security and privacy risk overall. NIST will continue to accept public comments on the draft report through November 1, 2019.