Next up: Service Security!  Servers have been hacked since the first ones were put online, so there’s a lot of information out there on best security practices. Many of the recommendations we made for devices still stand - require TLS, 2FA, and strong passwords, scrub data to prevent buffer overflows or cross site scripting attacks. Here’s a few more that relate specifically to IoT services

Misconfigured or glitching devices can turn them into unintentional mini-DoS attacks. If you get a device that is repeatedly sending your service bad data, make sure you have a way of throttling connectivity so other customers don’t get locked out. Contact or alert the customer to let them know about the misbehaving device.

Provide a device-health dashboard. Things like power and bandwidth usage, when reported back to the service, can help you spot if devices have turned into a bitcoin miners. Of course, these reports can be manipulated if the device is completely taken over, so you shouldn’t only rely on them.

Help protect customers from compromised accounts.  Developers will accidentally commit their authentication key - it happens all the time. That’s why we had that earlier guideline to allow easy key revocation. A favor you can do to your users is to watch GitHub, Pastebin or other code-sharing services for credentials. Don’t actually search for key values, of course, look for your service name and words like “password” “API” or “key”.

Protect yourself from compromise - Look out for world-readable or misconfigured cloud storage buckets, git repositories, web directories. 

And of course, for both your IoT device and service… if it has a web interface, it should be protected against standard website hacking techniques like remote code execution, path traversal, cross-site request forgery, and SQL injection. There are scanning services you can run against the website as well as on the code itself to find the egregious errors.

Use monitoring services on your own service, so meta! Hosting a service makes you an open target, and especially if you have a firmware deployment service Someone taking control of your site could not only take down the site, they could take control of all the devices too! Check your daily storage, bandwidth and compute resource usage graphs, to see if anything is amiss.

This guide was first published on Dec 04, 2019. It was last updated on Dec 04, 2019.

This page (Service Security) was last updated on Jan 20, 2020.

Text editor powered by tinymce.