This following text appeared as Intersct project blog.
A group of students taking the Cybersecurity Minor at Fontys University of Applied Sciences did security analyses on certain types of IoT-devices during the second half of 2020. The result of their work was a set of best practices to secure these devices. This work was done as an activity in the Intersect project.
The security of three different types of IoT-devices was examined. The first was a wireless air quality sensor system. The sensor system measures air quality values like CO2 and NH3 to determine the effectiveness of an airscrubber to clean air in stables. The sensor data could be vulnerable to unwanted changes. The second system was a smart screen. These screens are used at schools and conference rooms to present ideas and results. These systems could be vulnerable to data attacks. Attackers could potentially take control of the screen and gain network access, or subvert the screen for malicious use like a botnet. Smart watches were another type of IoT-system that was examined. These watches are carried by people to remain in instant contact, to call their friends or to measure sporting performance. These watches could be hacked and used to spy effectively on individuals and their activities.
The student group did security analyses (pentests) on these three type of IoT devices. They started by reviewing available standards for IoT security, like Owasp and Enisa and adapting them to apply the same idea to IoT. The result of their analyses is a set of 10 best practices that should be taken into account when securing any IoT system. The best practices together with the standards.