Security Technical Specification for Smart Devices of IoTHikvision555 Qianmo Road, Binjiang DistrictHangzhou310051CN+86 571 8847 3644wbin2006@gmail.comHikvision555 Qianmo Road, Binjiang DistrictHangzhou310051CN+86 571 8847 3644xing.wang.email@gmail.comHikvision555 Qianmo Road, Binjiang DistrictHangzhou310051CN+86 571 8847 3644dzwanli@126.comZhejiang University866 Yuhangtang RdHangzhou310058CNwyxu@zju.edu.cnIIE, CASBeijing100093CN+86 185 1894 5987chonghuaw@live.com
Security
Internet Engineering Task ForceIoTSecuritySmart devicesWith the development of IoT, security of smart devices becomes an important
issue for us to discuss. This draft proposes a security framework and
detailed requirements in terms of hardware, system, data, network, and
management to ensure the security of IoT smart devices. Specifically,
hardware security includes the security of hardware interfaces and
components. System security includes firmware security, security audit, etc.
Data security includes data verification and sensitive data protection.
Network security includes stream protection and session security, etc.PrefaceThe new paradigm of IoT is recognized as one of the most important
actors in the Information and Communication Technology industry for next
years . The introduction of IPv6 and CoAP
as fundamental building blocks for IoT applications allow
connecting IoT hosts to the internet. provides an overview of
relevant IoT use cases. With the development of IoT in recent years, the
industry of smart devices gains great momentum, resulting in a
large-scale production and application of smart devices. However, the
absence of unified security standards leads to various security defense
measures, which imposes huge threats on IoT security. Until today, smart
devices have become favored targets for hackers, which leads to frequent
security incidents. and conducted a detailed
survey on the security issues of IoT.This draft proposes detailed security requirements to ensure smart
devices can work in a security condition.ScopeThis draft proposes some basic security requirements that should
be met by smart devices in IoT.This draft is proposed for specifying security functions of
smart devices in IoT to improve the security of devices, which can
prevent devices from being maliciously exploited by attackers and
safeguard users’ sensitive data.This draft is also applicable to instructing the design and
implementation of security functions of smart devices in IoT.Terms and DefinitionsSmart deviceSmart device is a kind of device that can perceive and process video data, image data or other types of data. For example, video cameras, laser radar, identity gateways, etc. Smart devices can be connected to the IoT platform directly, or through a gateway as its sub-devices.Smart Video Surveillance DeviceVideo surveillance device is a typical smart device, which can collect
and process video image signals, and communicate with other devices via
the internet.Sensitive InformationInformation that is confidential and is of actual or potential value.
The loss, improperly use or unauthorized access of this information may
cause harm to society, business or individuals.VulnerabilityA flaw in the specific implementation of a software (hardware or
protocol) or the security strategy of a system, leaving it open to the
potential for exploitation in the form of unauthorized access or
malicious behaviors.Brute Force AttackCheck all possible passwords systematically to find the correct one.Network PortNetwork port is an endpoint of communication in an operating system,
which identifies a specific process or a type of network service running
on that system, such as service ports in TCP/IP with port numbers
ranging from 0 to 65535.Video StreamThe data stream of video information in network transmission.Device ActivationTo set the administrator's password when the user uses the device for
the first time, and the password must meet the requirements of password
security policy.Abbreviations and AcronymsThe following abbreviations and acronyms are used in this draft:
Abbreviations and Acronyms | Full Name
--------|-----:
JTAG | Joint Test Action Group
IP | Internet Protocol
TLS | The Transport Layer Security Protocol
HTTPS | Hypertext Transfer Protocol Secure
SSH | The Secure Shell Protocol
SFTP | Secure File Transfer Protocol
OTP | One Time Programmable Read Only Memory
TEE | Trusted Execution Environment
Table: Abbreviations and AcronymsOverviewThe framework of IoT consists of three layers. From bottom to top,
they are the perception layer, the network layer and the application
layer. Smart devices reside in the perception layer, aim to sense physical phenomena and translate them into a stream of information data. Furthermore, they isensenteract with IoT platform through communication modules. The framework of smart devices is shown as
follow:The draft adopts the strategy of layered security and
multi-level defense, and proposes a security function framework of
smart devices, shown as follow:Hardware security mainly focuses on the hardware feature of the device,
including two aspects. The first one is whether there is any unused
hardware interface on the device, and the second one is whether the
device can provide security support better owe to the security
component.System security refers to the secure application of the device’s
software resources, including bootloader, operating system and
applications.Data security aims to protect the data in the device, including device
management data and user business data. The special attention should be
paid to the sensitive data.Network security realizes the security of the connection to the IoT’s
network layer and protects against the attack from the network.Security management is mainly about how to securely use and manage the
smart devices.Security Function RequirementHardware SecurityHardware security contains interface security and security components.
Interface security refers to that the device should not expose any
physical interface with security risks. Security component refers to
that when designing the hardware, the hardware with security function
support shall be prioritized.Interface SecurityBefore the smart devices leave the factory,a) JTAG debugging interface should be disabled.b) Serial ports should be disabled, or improved by developing an
authentication mechanism.Security Componentsa) For the smart device, chips that support OTP, Secure boot and TEE are
recommended, and the relevant security functions should be enabled.b) If possible, it is recommended to add a security chip with
cryptography service function. The selection of security chip should
follow the corresponding national cryptography management policy.System SecuritySystem security includes firmware security, time synchronization,
cryptography management, authentication, security audit and access
control, etc.Firmware Securitya) The firmware should only contain the necessary components and
applications.b) For third-party open source software, the version without known
vulnerabilities (or has been patched) should be used.c) Debug codes in the device should be deleted before device leaves the
factory.d) Administrator should have access to check the current version of the
device.e) Firmware upgrading should be available.f) When generated, firmware upgrade packages should be digitally signed.g) The signature information of the upgrade package should be verified
when upgrading.Time SynchronizationThe smart device should have real-time clock and support time
synchronization calibration function.Cryptography Managementa) The smart device should apply publicly standard algorithms.b) The smart device should apply industry standard cryptographic
algorithm and regularly assess and update the encryption algorithm and
its strength.c) The smart device should apply secure random numbers.d) The smart device should forbid the hard coding of secret key.e) The smart device should apply irreversible encryption algorithm in
the scenario where the recovery of the password’s plaintext is not
required.Authenticationa) Users’ accounts should be unique.b) At least two user roles should be set: administrator and user.c) When the user account is deleted, the corresponding online user
should be logged out.d) Permissions assigned to administrators and users should be different.e) Users can manage and control the device only after successful
authentication.f) If adopted, a random password should be generated as default before
device leaves the factory. The user should be prompted to change the
default password.g) If an activation mechanism is adopted, the user should set a secure
password that meets security requirements when initializing the device.h) Password complexity check should be in place, and the password should
have at least 8 characters, with at least two kinds of the following
types: numbers, lowercase, uppercase and special character.i) The password entered by the user must be masked by default, and the
password copying must be disabled.j) The password should be encrypted when stored and transmitted.k) The authentication for remote access users should be performed on the
server.l) The feedback should not include clear reasons for the authentication
failure and should prompt the user with "user name or password error".m) Illegal login lock should be applied to defend against brute force
attacks during user authentication. Login attempts from the IP address
or account will be rejected for a period of time if it has been failed
for certain times.Access Controla) For the smart device, the access to video streams should be
authenticated and authorized.b) Only the administrator has the privilege to import (or export) the
parameter profile of the device.c) Only the administrator has the privilege to use interactive command
console.d) The command console must not provide user management commands.Security Audita) The smart device should support security audit function. Operations that need
to be audited include the following:
Enabling or disabling the security audit function;
User creation, deletion or modification;
User login and logout;
Upgrade or update of the firmware;
Changes of the device configuration.
b) The audit information should include account, IP address, operation
time, operation type and operation result, etc.c) The handling mechanism, such as loop coverage or warning, should be
in place for scenario where the size of logs is over the preset limit.d) Only authenticated users have the privilege to view logs.e) Log information should be presented in a form that is easy for users
to understand.Data SecurityData VerificationThe IoT smart device should check the validity of the input data, and
this process should be carried out on the server.Sensitive Data Protectiona) For the smart device, internal sensitive information, such as
passwords, configuration information, should be stored as cipher text.b) For the smart device, sensitive information should be encrypted when
transmitted.c) For the smart device, log records and information printouts should
not contain any sensitive information.d) For the smart device, user interfaces for local, remote, web, and
other operations should not show sensitive information.Network SecurityAccess Securitya) The smart device should have unique network identifier.b) If the device accesses the network layer via wireless networks, such
as Wi-Fi, the wireless network protection mechanism, such as WPA2,
should be applied.Port Securitya) The smart device should only enable the necessary network port by
default.b) All available network ports of the device should be open to users.Service and Protocol Securitya) The smart device should apply secure protocols, including but not
limited to TLS, HTTPS, SSH, SFTP, etc.b) The smart device should remove high-risk services, including but not
limited to telnet service, FTP service, etc.c) The on-off mechanism of the service should be provided and be off by
default when protocols with imperfect security mechanism are applied. A
security risk alert is required when the user apply for the service
using these insecure protocols.d) If a Web service is provided, the Web security mechanism should be
implemented, including checking the validity of input and output, and
taking measures to prevent code vulnerabilities such as authentication
vulnerabilities, permission vulnerabilities, session vulnerabilities,
injection vulnerabilities, file upload vulnerabilities, etc.Session Securitya) The smart device should allow the user to initiatively end the
communication.b) The session should be ended if there is no operation for a long
duration, and the duration time can be set by the administrator.c) The smart device should restrict the address of remote connections,
such as IP address filtering, etc.d) Limit the number of concurrent network connections.Transmission Securitya) The smart device should provide a trusted communication path (Such as
TLS) for the remote user to protect the communication data from leakage.b) Remote users should be allowed to initiate communication via a
trusted path.c) A trusted path is required when processing user authentication.d) A trusted path between the device and another trusted IT product
should be provided to protect communication data from modification or
leakage.Video Stream ProtectionThe smart device should use cryptographic mechanisms to protect the integrity and confidentiality of video streams during transmission.Application SecurityApplication SigningThe smart device must employ cryptographic mechanisms to protect the
integrity of applications running in it. Applications that have been
tampered with or of unknown origin should be forbidden to run.Third-party Component SecurityIn the design and development phase, it requires security reviews for
any third-party components (TPCs) embedded in the applications of smart
devices.Security Managementa) The smart device should be able to be managed and configured
remotely.b) The smart device should be able to inquire and export log
information.c) The smart device should be able to upgrade firmware remotely.d) The smart device should be able to manage activation/non-activation
service remotely.e) The smart device should follow a lifetime policy, which clarifies the
security risks of overdue and declares that manufacturer will no longer
update firmware of the device if overdue. Security ConsiderationsThis entire memo deals with security issues.IANA ConsiderationsThis documents has no IANA actions.Informative ReferencesInternet of things: Vision, applications and research challengesDemystifying IoT Security: An Exhaustive Survey on IoT Vulnerabilities and a First Empirical Look on Internet-Scale IoT ExploitationsA Survey on Access Control in the Age of Internet of ThingsDesign and Application Spaces for IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs)The Constrained Application Protocol (CoAP)Use Cases for Authentication and Authorization in Constrained Environments