IoT is the Internet of Things. It includes all of the devices that connect through the Internet and the internet-compatible networks used in our businesses and homes. In the hotel industry, this includes things like smart thermostats, TV set-top boxes, printers, voice response devices, PBX systems, emergency lighting, security cameras and door locks. Because IoT devices connect through your networks and also potentially connect to the wider Internet these devices represent a potential risk to your organization. Shortly HTNG (Hospitality Technology Next Generation) will be publishing a document on IoT Security for the hospitality industry. As the chairperson for this workgroup I thought I might offer a preview of what will be coming and share several important IoT best practices
Manage Device Passwords
OWASP, the Open Web Application Security Project, is an organization best known for publishing the list of Top 10 Web Security Risks. They have identified weak, vulnerable and hard coded passwords as the No. 1 risk for IoT devices. The best practice is to change device passwords when they are first installed. Device passwords should be secure, meaning passwords should be 14 characters or longer and include a mix of upper and lower case alphabetic characters, digits and special characters. Randomly generated passwords are best. Passwords should be unique for each device and should not be shared between users. A password manager or proxy can be used to reduce the burden of managing passwords on IoT devices with limited capabilities.
Disable Unnecessary Services
Many IoT devices come with services enabled that are not needed for the normal functions of the device. Insecure services like Telnet, FTP (File Transfer Protocol), and old SNMP (Simple Network Management Protocol) are often enabled by default making the device vulnerable to attack. It is best to disable any services that are not needed for the normal use of the device in your network. Devices can be scanned with a network port scanner to determine the services that are running and identify those that need to be disabled. Update Firmware IoT devices often use a persistent form of storage for their programs. Programs stored this way are called firmware. Firmware is the built-in software for the device. IoT devices periodically need to have the firmware updated to address security flaws and provide new capabilities.
When deciding the devices to deploy in your environment you will want to make certain; the devices can be updated in place, the manufacturer regularly publishes updates as needed to address security concerns, and that secure mechanisms are in place to apply the updates. Secure mechanisms may include code signatures, and encrypted files. Of course, a device that can be updated isn’t valuable if the updates are never applied. It is also important to monitor for updates and update the devices as security updates become available. Remember that if a device can’t be updated it often requires that the device be replaced in order to eliminate the risk of having an insecure device deployed in your infrastructure. Use Secure Communications IoT devices are designed to use the protocols of the Internet.
Most Internet protocols when they were first developed, were insecure. As the Internet grew, security became more of a concern and protocols were enhanced with secure versions. Some of these secure protocols eventually proved to be less secure and have since been replaced or updated. For example, the HTTP protocol used by web browsers and by many IoT devices is not secure but was updated to use Secure Socket Layer (SSL) and the HTTPS protocol. SSL later proved to be insecure and has been replaced by Transport Layer Security or TLS. HTTPS uses TLS to encrypt the messages exchanged between the HTTPS server and its clients. Most securely configured HTTP web servers today are using TLS to provide HTTPS and have HTTP disabled. IoT devices often have built-in HTTP servers and are configured by default to use the insecure HTTP protocol. It is a best practice to re-configure these internal device servers to use the secure TLS HTTPS protocol instead, redirecting any HTTP requests to the HTTPS version. This often requires generating, installing and maintaining security certificates onto the devices. The secure communication capability is critical to prevent hackers listening on the network from being able to capture password, unlock codes and other sensitive information that are destined for the IoT devices.
Isolate IoT from Networks
IoT devices may be small but often have powerful computing capabilities. An IoT device can be used as a starting point to attack the computers, servers and network devices in your hotel, including the property management (PMS), point of sale (POS) systems and potentially guest devices. IoT systems often need to maintain contact with external Internet systems, opening your systems to Internet-based attacks as well. For this reason I suggest that IoT systems should be isolated from both internal and external networks using virtual LANs (VLAN), gateways and firewalls. Gateways, firewalls and VLANs create boundaries between IoT devices and the rest of the world. These boundaries should restrict communications to only those devices that need to communicate with each other. The isolation creates a “no man’s land” or island protecting the IoT devices and the devices they might otherwise threaten. Only those systems that need to communicate with the IoT device should be able to cross the boundary. Guest Privacy Personally, I hate getting into a car rental and finding the personal information for half-a-dozen previous renters from their telephones.
Many hotels offer guest facing IoT devices including thermostats, room lights, voice assistants, in-room media devices, printers and computers in the business centers, and connections to phones, tablets, and other personal computing devices. Each of these connections typically collect information about the user, your guests. The users are often unaware of this and frequently the hotels are also not aware of the information being left behind. Customer privacy has become a hot topic with new laws appearing all of the time. Our recommendation is that before deploying systems that interact with guest owned equipment perform an assessment of the data that is collected and notify the guest of the data that is collected and how it will be used. Also look for how the information can be removed when the guest checks out or has completed the interaction with the system.
Wrap Up
These are just a few of the recommendations for IoT best practices, but ones that will significantly reduce the risk of deploying IoT in your hotel. IoT solutions can help improve your ability to better manage your facilities and improve guest satisfaction. These best practices provide a good start to being able to benefit from IoT while minimizing the risk of IoT.
