Securing Internet of Things (IoT) Devices on Campus
Devices considered to be part of the Internet of Things (IoT) include printers/copiers, cameras, thermostats, refrigerators, alarm systems, medical devices, streaming systems, smart speakers, smart TVs, workout equipment, and more.
IoT devices can collect a lot of data about the University, sometimes without the device manufacturers informing you what is being collected or retained. This can leave University data vulnerable to exposure in the event of data breaches affecting the manufacturers and others they may share your data with. It can give attackers access to personal information, enable attacks against other devices on the network, enable attackers to store, access, or transmit University data they are not authorized to access, and more.
Securing your IoT devices is an important step in protecting data, resources and privacy. IoT devices require additional steps prior to connecting to the network as well as continuous monitoring while connected. Below are additional technical controls for IoT devices owned by the University and operating on a University campus or affiliate site.
Coordinate Changes for University Compliance
If you are adding or changing IoT devices on a University campus, be sure to coordinate and maintain University compliance:
- For use with payment card information (e.g., credit cards), contact University Accounts Receivable Service ([email protected])
- For use in a Health Care Component or with health information, contact HST ([email protected])
- For questions regarding compliance in any other areas, contact University Information Security ([email protected])
Configure and Verify Security Settings
Manufacturers may not enable the security settings by default, or they may reset to default insecure settings during a service call. Some users may also be unaware that devices come with pre-configured default usernames and passwords.
To protect the data and the device, configure the security settings. Check for instructions on how to enable security settings on the device. At minimum, most IoT devices will have default credentials, e.g., an administrator password, that should be changed. If possible, also change the default username (e.g. often set to “admin”).
Note that many devices require a restart for the settings to take effect. On an ongoing basis, periodically check the security settings, especially after a vendor service call.
Maintain Unique and Strong Passwords
- Use strong, unique passwords in place of default passwords or known settings for the device (e.g., for vendor service accounts or “wake” words that activate the device).
- Change the SNMP community string to a non-default, hard-to-guess value.
- Use strong passwords for authentication. Do not use the “public” community string. Use strong passwords for web interfaces.
- Use two- or multi-factor authentication for service accounts, e.g., Google or Amazon accounts linked to the device.
- Check passwords after a vendor service call to ensure that the passwords are not reset to default passwords.
Keep your device up to date
- Check the vendor's support site and/or subscribe to the vendor's announcement mailings.
- Verify that the device is running the current firmware version.
- Install firmware updates.
Protect the Data
Review Privacy and Security Settings
Review the privacy policy for the device. Choose security and privacy settings that protect the device and any information that could be collected by, stored on, or transmitted by the device.
Review Stored Data
Erase or delete any stored data on a regular basis that exceed data retention requirements for the type of data stored on the device. Be sure to understand what regulations or policies may be in place that protect the data the IoT device is consuming, storing, or transmitting.
Encrypt Internal Storage
If your IoT device has built-in storage, review the manual or consult with your vendor, for options to encrypt any data stored on the device.
Manage Vendor Service Calls
- When working with a vendor who supports IoT devices, request a configuration report of any changes made to the device during the service call. If this cannot be provided by the vendor, check security settings before and after the service call to check for unexpected changes.
- Check passwords after a vendor service call to ensure that the passwords are not reset to default passwords
Restrict Access to the Device
Disable unnecessary features
- Mute microphones and cameras when the device is not in use.
- Disable purchases using voice commands or set a strong password to prevent inadvertent or unauthorized purchases.
By network restrictions
- Use a Network Firewall
- Write firewall rules to limit access to only the University subnet(s) and network and service protocols that are needed to use/manage the device.
- This is preferred because in many cases vendors do not expend much effort in hardening devices; they assume the network will provide the needed defenses.
- Assign the a private IP address (i.e., RFC-1918)
- Only allow access from within the same network.
- To request a campus-routed IP address, see how to submit a Request for Private Network (RFC 1918).
- Changing the IP of the device may also require re-configuring every client that uses or manages the device.
- Use Built-in Access Control Lists (ACLs) on the device.
- Explicitly list the IP addresses that can log into the management interface on the device.
- Consult the vendor's documentation for details on how to deny access by default and enumerate allowed access.
By network and service protocols
Consult vendor documentation to understand what network protocols the IoT device requires. Some of the following protocols are used for compatibility with legacy systems. Consult vendor documentation on how to identify and ideally disable network protocols that are not needed on the device. Note that some administrative interfaces for IoT devices will not allow you to manage access to this level of detail, so you may need to restrict protocol using network firewall rules instead.
If not needed, disable:
- AppleTalk
- Bonjour
- IPX/SPX
- Wireless broadcast
- IPv6, unless you have controls implemented in-network to protect the device
This list is not exhaustive; disable any protocols not needed for normal operations of the device.
Use HTTPS for remote management instead of HTTP. If SNMP is to be used, use SNMP v3; prior versions do not support encryption.Use https (or snmp v3) for remote management of the device. Use snmp v3 (prior versions do not support encryption). Restrict access to the IP addresses that use any necessary service protocols and set a strong password for the administrative interface, otherwise disable unnecessary protocols.
If not needed, disable:
- HTTP (use HTTPS)
- FTP
- SNMP v1 and v2 (see reducing risk of snmp)
- SMTP (not needed to send outgoing mail using the University mail relay)
- Telnet
- VNC
- Apple Remote Desktop (ARD)
This list is not exhaustive; disable any services or ports not needed for normal operations of the device and prefer secure over insecure protocols (e.g. encryption).
In the absence of a specific, documented business need, also disable SSH and RDP. If need for these exist, narrow the scope of access to these services from known, authorized sources where possible.
By Accounts
- Avoid connecting accounts with sensitive information.
- Disconnect accounts when no longer needed.
- Enable vendor service accounts only when needed.
Enable Logging and Review Logs
If your IoT device is on campus, enable detailed logging for auditing and security purposes in compliance with University policy and federal regulations.
Review logs for unauthorized access. This is required on devices with HIPAA, FERPA, or payment card (credit card) data.
Properly Dispose of Devices
- Determine the proper disposal of the device and memory components (e.g. hard drive) while adhering to the Media Sanitization standard in the Information Security policy
- For hard drives, use the University-contracted service for secure disposal of hard drives.
- Depending on the value of the device, complete the University’s Equipment Disposal Form.
- See the University Information Security policy for additional steps to secure the device to meet the data security classification and security level for the device.