IoT Setup Procedures

Internet of Things devices are often sold with default credentials hardcoded into them. This is a problem, because those default credentials are used by attackers to exploit those devices for various purposes. Notably, this practice enabled the so-called 'Mirai' botnet.

Here's a better way to handle IoT setup that does not put the world at risk from default credentialed devices:

( Some assumptions being made here: your IoT device is running some kind of linux or linux-like operating platform, communicates over standard TCP/IP, and is able to maintain persistent storage when not in use )

First, configure a script to run on device startup - this generally lives in

/etc/init.d

This script should have a test similar to this:

if [ -e /etc/config ] then exit; else /etc/setup.sh; fi

This tests to see if a file ( /etc/config ) exists. If it does, then the script exits - it goes on to boot as normal - otherwise, it runs the "/etc/setup.sh" script.

Next, your setup.sh or equivalent should generate a random credential and make it available ONLY locally. If your device has a display, put it there; otherwise, you can set up a captive portal ( e.g. by making a very small webserver available via connecting directly to the device on wifi ) or similarly serve a dedicated setup page to a local network.

Regardless of the methodology, this should be a setup that is -only- available if you have the device physically close to you - not anything that you can reach over the internet.

When device setup is completed, write the setup to the /etc/config file ( or, frankly, just make sure that that file exists - the test mentioned above only looks to see that it's there ) and reboot.

The device will then boot into normal functioning mode (because the config file exists) and all's well.

The reason to do this rather than hardcode credentials of any sort is so that if someone attacks the device, or the device malfunctions, and a 'factory reset' occurs, there will never be default credentials available to manipulate the device - someone physically close to the device will have to deliberately set it up before it's available on the internet again.

This enhances the user's control over the device, and as a bonus, this trims down support costs - the only possible thing to do if there is a malfunction or a user loses their credentials is to set it up from scratch.

If you have any questions on how to do this, catch me on twitter - @munin is the handle.