Make IoT devices secure by design

November 16, 2015

Posted by: George Malim

Amit Sethi, Cigital

The explosion in internet-connected devices has opened up a world of possibilities in ways that we might never have anticipated. But have these new capabilities and leaps forward in connectivity come at the expense of security, asks Amit Sethi, the principal consultant at Cigital.

With sensors communicating from the most seemingly benign of devices – watches, thermostats, kettles and even garden equipment – what are the key challenges for organisations in making IoT devices that are safer by design, protect users, keep data safe and avoid fraudulent activity?

Since the first devices were given ‘smart’ capabilities, the limits of their security have been tested to highlight the potential security weak points. As cases in point, last year hackers took just fifteen seconds to re-root a Nest thermostat with infected firmware and more recently, researchers have shown they are able to control an automobile remotely by exploiting vulnerabilities.

Designing for the IoT comes with a specific set of challenges and using traditional security controls is not always possible. However, security incidents such as these will become commonplace unless the software is designed and implemented securely.

Unique challenges

To understand how to overcome these, we need to consider some of the design constraints which are inherent to IoT devices. For example, in comparison to general purpose computers, IoT devices typically have limited memory, storage and processing power. The manufacturer’s goal is to provide the required functionality at the lowest cost possible. The use of lowest cost components may mean that the addition of security features will cause the system performance to degrade. As a result, traditional security controls are left out because they would use up valuable resources.

IoT devices tend to be deployed in a range of environments and users don’t always have the back up of enterprise level IT support to manage security. Users of devices used in home environments may not perform system upgrades or create secure configurations, which can leave devices exposed to risk. Many devices are also deployed in locations that lack physical security.

What organisations can do

Overcoming these challenges is possible, but requires that organisations build security in from the earliest stages of development. Security needs to be a primary concern along with cost, reliability and usability. This requires executive support from the leadership team to ensure that security is not neglected in favour of other factors such as cost and time to market.

Assuming that executive support is in place, two key areas to focus on during development are removing unnecessary functionality and ensuring that a secure update mechanism is in place. Organisations can limit the attack surface of the system by removing all functionality – such as testing or debugging – that is not required on the device. Additionally, a secure update mechanism that uses proper cryptographic controls is also important so that organisations can respond to vulnerabilities discovered after a system is released. Ensuring that all the right technical and process controls are in place requires a well-defined secure software development lifecycle.

The Internet of things holds great promise for making our lives easier. However, as we become increasingly reliant on IoT devices both at work and at home, manufacturers must ensure the safe and secure operation of deployed systems, to avoid them from being the ‘weak link’ through which systems can be exploited.