Taking responsibility: Six ways developers and manufacturers can build a more secure IoT
Poor IoT device security is a growing concern throughout the business world. Thomas Fischer, Threat researcher and Global Security advocate at Digital Guardian outlines six ways IoT product developers and manufacturers can prevent their devices from being turned into a botnet army.
Despite still being in its relative infancy, the Internet of Things (IoT) has already developed a reputation for poor security. Sadly, it is justified. With IoT spending sky high and demand only increasing, developers and manufacturers are rushing to put new products out into the marketplace. Unfortunately this rush means robust security measures frequently become an afterthought, which inevitably results in users being put at risk.
Gartner estimates that over 20 billion IoT devices will be in the marketplace by 2020, so if even a fraction of these devices are unsecured it adds up to a big problem. Never has this been more apparent than in the wake of the DDoS assault on Dyn last year, which turned millions of malware-infected IoT devices into a botnet army, crippling the DNS provider and halting traffic to hundreds of popular websites including Facebook, Twitter and Amazon.
But despite such high-profile attacks making global headlines, the vast majority of consumers remain dangerously unaware of the security risks their exciting new IoT devices pose.
As connected devices increasingly permeate all aspects of our lives, the burden of properly securing them must fall squarely on product manufacturers and software developers. After all, it makes sense that those developing and profiting from IoT technology ensure the products they sell pose no risks to end user security or privacy.
With this in mind, below are six key areas that security efforts should focus on, in order to permanently improve the security of IoT devices and reduce the risk placed on consumers.
- Device identity and authentication – Proper and secure authentication with individual device identification allows a secure connection to be built between the devices themselves and the backend control systems. If every device has its own unique identity, organisations will be able to confirm that the device communicating is indeed the one it claims to be. This requires individual device identification based on solutions like PKI.
- Encryption – When utilising IoT solutions, organisations must encrypt traffic flowing between devices and backend servers. Ensuring that the commands are encrypted and looking at command integrity via signing or a strong encoding is vital. IoT devices should also encrypt any sensitive user data collected as well.
- Physical security – Physical security is paramount. Integrating tamper-proofing measures into device components should be at the forefront of all developers minds as it ensures they cannot be decoded. Additionally, ensuring device data related to authentication, identification codes and account information are erased if a device becomes compromised will prevent private data from being used maliciously.
- Streamlining update processes – Unfortunately, in their rush to get products to market, manufacturers sometimes build devices with no firmware update capability at all. Ensuring a consistent process that allows for flexible firmware deployment will allow developers to create new models while distributing security fixes universally across all existing product lines.
- Coding securely – IoT developers must implement secure coding practices and apply them to the device as part of the software build process. Focusing on QA and vulnerability identification/remediation as part of the development lifecycle will streamline security efforts while helping to mitigate risk.
- Build without backdoors – Today it is easy to build devices with a backdoor inside, for surveillance or law enforcement purposes. However, this practice compromises the integrity and security of the end user. Manufacturers must ensure that no malicious code or backdoor is introduced and the device’s UDID is not copied, monitored or captured. Doing so will guarantee that when the device registers online, the process is not captured or vulnerable to interception, surveillance or unlawful monitoring.
The full potential of the IoT is still far from being realised, but as more IoT-related data leaks and cyber attacks make the headlines, manufacturers are coming under increasing pressure to improve the security of their products. If followed correctly, these six steps will not only allow providers of connected technology to remain competitive, but help to build an IoT which is more robust, better protected and safer for everyone.
The author of this blog is Thomas Fischer, threat researcher and global security advocate at Digital Guardian
Comment on this article below or via Twitter: @IoTNow_ OR @jcIoTnow