Baseline IoT security checklist. Consider security as early in development as possible and reap the rewards.
There is a blog post explaining the origins of this along with some fundamentals available here:
This contains high-level advice and is a good source of information to kick off your discussions of risk.
The "checklist" is designed to aid you in enumerating the attack surface of your device, then giving you the six root causes as a discussion piece. If you have previously not engaged with security before this is a starting point. The two blank spreadsheets have been provided to track your progress. To follow the process first clone down this repository, and then interact with the two spreadsheets as summarised below:
- Blank-Device_Decomposition_Matrix.xlsx - Logically break your device down to list individual components which may carry either a technical or a privacy/legal risk. The first step to securing your device is to find the items which may be attacked. Armed with this list you must then either research or discuss with a security expert HOW each item may be attacked. Try to determine the potential impact of a compromise. Then seek advice to see how likely a compromise would be. Add in additional columns as required to capture your discussions.
- Blank-IoT_CheckList.xlsx - This contains two sheets. The first is the six security fundamentals. If you have not engages these points before then you should do so as soon as possible. The second sheet has special considerations for a number of inter device networking/communications systems including: Wi-Fi, Bluetooth, GSM, Infrared, LoRaWAN. There are entire books and courses devoted to securing each of those so networking choices are a big topic.
Read the blog post first before starting.There is a video where the IoT Checklist is discussed here:
Which is based on the presentation slides that are available here:
You actively edit and maintain your decomposition matrix as it eventually serves as your Risk Matrix. You do not have to edit the CheckList these are just the discussion points to hit.
Filling in the decomposition matrix is difficult at first so to bridge the gap we have provided a document explaining the process for a fictional Internet enabled radio:
- https://github.com/SecarmaLabs/IoTChecklist/blob/master/examples/Example-Device_Decomposition_Matrix.xlsx
- https://github.com/SecarmaLabs/IoTChecklist/blob/master/examples/Example_Process.pdf
This comes with an associated PDF document which talks you through the steps. I will be honest. This is NOT the most riveting of activities. How about you get a friend and read it while taking it in turns to do cartwheels? The PDF explains the transformations used to create a finalised device decomposition.
Finally you can engage with us if you have feedback or would like to see alteration:
- https://twitter.com/SecarmaLabs (our official account)
- https://twitter.com/cornerpirate (the original author)