Internet of Things: Identifying Risks and Good Practices

A Guide to Reduce the Risk of Compromise and Abuse

This guide provides information on security measures that can be applied to Internet of Things (IoT) devices to help reduce the risk of compromise and abuse. In addition to the recommendations in this guide, IoT device administrators should keep informed of newly publicized issues and apply appropriate mitigation measures.

IoT devices include things like a departmental or individual networked printer, networked storage device, building automation system, wireless camera, wireless door lock controller, Raspberry Pi, Amazon Echo or Google Home. Laptops and desktops are not considered IoT devices.

If you are deploying an IoT device that directly impacts the health or safety of any member of the University community or handles restricted information, immediately contact the University of Chicago Information Security Office. If your IoT device doesn’t have restricted information, use this ServiceNow Request form.

For any questions about this guide, contact the University of Chicago Information Security Office at security@uchicago.edu or call 773.702.CERT (2378).

Why do I need to secure my IoT device?

Not only could a compromised IoT device be a privacy threat, but it could also be a safety threat if the ability to use the IoT device for monitoring is impacted. A compromised IoT device can be used to pivot to or attack other systems on the network or for other nefarious purposes.

Good IoT practices for IoT device managers

If you are reading this guide and are responsible for an IoT device, the good practices listed below will help you cover the basics. Specific devices may require updates or have guides available from their manufacturers.

  1. Access
    1. Be sure the device’s access control does not allow unauthorized or unauthenticated access and that appropriate restrictions are in place.
    2. Change the default password to something complex with 16 characters or more if feasible.
    3. Make sure no management interface is accessed over an unencrypted channel (e.g. use HTTPS rather than HTTP and disable the latter).
    4. For Raspberry Pi Devices:
      1. Make sudo require a password.
      2. Modify the sshd configuration to allow only specific users for SSH access.
      3. Use key-based authentication as an alternative to a password login.
    5. For printers, disable any unnecessary services. Disable the following where possible, as they are commonly visible without a username or password:
      1. Internal storage or job forwarding
      2. Job logs
      3. Print queue
      4. Device management logs
  2. Software updates
    1. Keep the device software updated with the latest security patches and firmware.
      1. Some patches can revert or change passwords.
  3. Services
    1. Disable all unused services, such as telnet, ssh, FTP/TFTP, MySQL, email, web proxy, SLP/Device Announcement Agent, WS-Discovery/XML Services, Web Services Print, WINS, LLMNR, IPX/SPX, DLC/LLC, Multicast IPv4, File Access Settings (JPL Disk Access, SNMP Disk Access, etc.).
    2. For printers:
      1. Automatically delete data after the printing process is complete. Options can be set for how long data can be resident on the printer – set to lowest time available.
      2. Confirm deletion of data upon job completion.
      3. Disable local use of printer memory if possible.
  4. Network
    1. IoT devices must use a non-publicly-routable IP address wherever possible. Exceptions must be approved by the Office of the Chief Information Security Officer (CISO).
    2. If possible, use a firewall or similar means of restricting access to the IoT device management services to only the IP address ranges needed. For off-campus access, the campus VPN range should be included rather than any external IP addresses.
    3. For Raspberry Pi Devices:
      1. Install and configure fail2ban.
      2. Install virus protection.
  5. Logging
    1. Enable logging of IoT device access and configuration changes. Have the logs sent to an external device.
    2. Monitor logs for unusual behavior.
  6. Redundancy and backups
    1. If the device has a critical function, consider having a backup configured or purchasing a second device.
    2. Regularly back up the device’s configuration, or keep track of its configuration on an external system.
  7. Check with the device’s vendor for security bulletins or configuration guides.
  8. Consider the types of data your device stores or processes and ensure unauthorized individuals can’t access that data.

Additional Resources:

Raspberry Pi security guidance
Additional Raspberry Pi security advice from Stack Exchange
The Hacking Printers wiki – a technical resource about printer security
CISA’s page about securing IoTs