Set the root password

This is a no-brainer. Set the root password to be a strong password that is unique to each board. Some tips² for a secure password are:

• Make the password length reasonably long (8-12 characters)
• Use a mix of uppercase and lowercase letters, numbers and symbols
• Don't use personal/company information or common words
• Try not to use information that could 'leak' from the device (such as MAC or IP addresses) as the whole password

and

• Keep your passwords secure
• Have a password backup strategy in place

See How to change the root password for instructions on how to do this.

Consider using ssh keys and keystore instead of passwords

If you have more than a few mangOH boards in your fleet, consider using a ssh key stored in a keystore that has a strong passphrase.

Disable login on serial console

By default, the serial console is enabled on the mangOH board. This means that anyone who has physical access to the device can use a laptop and a serial cable to connect to your mangOH board. By disabling the console login on the serial port, you reduce the attack surface for those who have physical access to the board.

Manage data radio connection

When designing the applications to run on the mangOH/WP8548, take some time to think about how often the application needs to have the data radio turned on.

The less the data radio is turned on, the less time there is for an outside 'bot' to attempt to connect to your device. Of course, as you're building an IoT device, you may need always-on connectivity so limiting the data radio connection may not be appropriate.

And don't think that just because your Telco provides your SIM with a 'non-routable' IP address hidden behind a NAT³ gateway means that your device is hidden from other devices or the internet. Just consider how many other devices are on the same subnet behind the same NAT gateway ... and any one of them could have been compromised and be searching for more targets.

Consider what listening servers are required

Another design-time consideration is to limit the number or type of listening servers that are required on your mangOH.

Do you really need a telnetd server listening on TCP port 23? Could you use ssh or some other protocol to remote log-in? Do you really need a remote log-in facility at all? If you require a file transfer service, look at using scp or sftp rather than the traditional (and insecure) ftpd.

Look at using iptables (the Linux firewall)

And possibly the ultimate protection for an IoT device is to configure a firewall on the mangOH/WP8548. By design, the Linux distribution that the mangOH uses has iptables (the Linux firewall) built in by default. iptables is a very flexible firewall tool that allows fine-grained control of both inbound and outbound connections.

By default, iptables is running, but is configured to 'allow all' connections:

~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
~#

While iptables configuration can be complex, there is a wealth of material available on the internet about how to do it. And as iptables is the standard Linux firewall tool you can also experiment on a desktop Linux installation and then copy the firewall rules to your mangOH board.