More haste, less speed – minimise the risks of IoT security
Thomas Fischer, Digital Guardian
From smart thermostats to fitness trackers the race is on for companies to put out the next big connected product. However, during this foundation stage it’s essential that the companies developing or selling IoT technologies don’t take shortcuts when it comes to security protocol and ensure that the products they are selling do not pose any risk to the user’s security, writes Thomas Fischer, the principal threat researcher at Digital Guardian.
You don’t have to look far for examples of how this could potentially occur. Take a well-established IoT technology such as smart home meters or thermostats for instance. These offer a convenient way for people to remotely manage energy consumption in their homes via the internet. However, if criminals are able to access the network these devices communicate through, they can quickly establish usage patterns to ascertain when the house is/isn’t occupied and plan a break-in accordingly.
The time and cost pressures on competing organisations to get their latest IoT products to market first can be a major contributor towards security flaws. Overly stringent cost control leads to simplified hardware that hinders basic principle of integrity and failover in the devices. In addition, the drive towards user friendliness means many IoT devices are often either memory constrained or input constrained, allowing for simple functionality, but leaving little room for robust security.
Time and again rushed release dates, overzealous cost-control and a blinkered approach to user convenience produces IoT devices not fit for purpose at launch. Companies that attempt to add protection retrospectively will have a task of enormous magnitude ahead of them, and there’s a much higher chance mistakes will be made and vulnerabilities missed.
Six steps to reducing IoT security risk
So what can organisations do to reduce IoT security risks in their products and services? Below are six areas for consideration:
- Physical security – The first aspect to consider is the physical security of the devices. Integrating tamper-proofing measures into the components so that they can’t be decoded is essential. Additionally, ensuring that device data such as authentication data, identification codes and account information are erased if a device becomes compromised will prevent private data from being used maliciously.
- Build integrity – Building integrity into the construction and distribution process will make sure no malicious code or backdoor is introduced and the device ID is not copied or captured. This will help ensure that when the device registers OTA (over-the-air or wire), the process is not captured or vulnerable to Man in the Middle attacks, causing fake information to be introduced or access to become circumvented.
- Secure coding – IoT developers must implement secure coding practices and apply them to the device as part of the software build process. Focusing on risk and vulnerability identification and implementing code reviews will palliate those risks.
- Authentication and device identity – Implementing proper and secure authentication with individual device identification will allow a secure connection to be built between the devices themselves and the backend control system and management consoles. If every device has its own unique identity, organisations will know the device communicating is indeed the device it claims to be.
- Encryption – When utilising IoT solutions, organisations must encrypt traffic flowing between devices and back end servers. Ensuring that the commands are encrypted and looking at command integrity via signing or a strong encoding is vital.
- Future proofing – Build the ability to easily upgrade the device so that bug and security fixes can be deployed in an easy and manageable method.
In their haste to be first to market, many organisations are overlooking some very basic IoT security principles that are putting users at risk. The advice here is plain and simple by spending just a little more time and incorporating robust security protocols into their products, as opposed to retrofitting them after the event, organisations will protect themselves and their users from the very real and growing threat of cyber criminals out there, just waiting to pounce.