Taking responsibility: Six ways developers and manufacturers can build a more secure IoT

Thomas Fischer of Digital Guardian

Poor IoT device security is a growing concern throughout the business world. Thomas Fischer, Threat researcher and Global Security advocate at Digital Guardian outlines six ways IoT product developers and manufacturers can prevent their devices from being turned into a botnet army.

Despite still being in its relative infancy, the Internet of Things (IoT) has already developed a reputation for poor security. Sadly, it is justified. With IoT spending sky high and demand only increasing, developers and manufacturers are rushing to put new products out into the marketplace. Unfortunately this rush means robust security measures frequently become an afterthought, which inevitably results in users being put at risk.

Gartner estimates that over 20 billion IoT devices will be in the marketplace by 2020, so if even a fraction of these devices are unsecured it adds up to a big problem. Never has this been more apparent than in the wake of the DDoS assault on Dyn last year, which turned millions of malware-infected IoT devices into a botnet army, crippling the DNS provider and halting traffic to hundreds of popular websites including Facebook, Twitter and Amazon.

But despite such high-profile attacks making global headlines, the vast majority of consumers remain dangerously unaware of the security risks their exciting new IoT devices pose.

As connected devices increasingly permeate all aspects of our lives, the burden of properly securing them must fall squarely on product manufacturers and software developers. After all, it makes sense that those developing and profiting from IoT technology ensure the products they sell pose no risks to end user security or privacy.

World Cloud with Internet of Things related tags
World Cloud with Internet of Things related tags

With this in mind, below are six key areas that security efforts should focus on, in order to permanently improve the security of IoT devices and reduce the risk placed on consumers.

    • Device identity and authentication – Proper and secure authentication with individual device identification allows a secure connection to be built between the devices themselves and the backend control systems. If every device has its own unique identity, organisations will be able to confirm that the device communicating is indeed the one it claims to be. This requires individual device identification based on solutions like PKI.
    • Encryption – When utilising IoT solutions, organisations must encrypt traffic flowing between devices and backend servers. Ensuring that the commands are encrypted and looking at command integrity via signing or a strong encoding is vital. IoT devices should also encrypt any sensitive user data collected as well.
    • Physical security – Physical security is paramount. Integrating tamper-proofing measures into device components should be at the forefront of all developers minds as it ensures they cannot be decoded. Additionally, ensuring device data related to authentication, identification codes and account information are erased if a device becomes compromised will prevent private data from being used maliciously.
    • Streamlining update processes – Unfortunately, in their rush to get products to market, manufacturers sometimes build devices with no firmware update capability at all. Ensuring a consistent process that allows for flexible firmware deployment will allow developers to create new models while distributing security fixes universally across all existing product lines.
    • Coding securely – IoT developers must implement secure coding practices and apply them to the device as part of the software build process. Focusing on QA and vulnerability identification/remediation as part of the development lifecycle will streamline security efforts while helping to mitigate risk.
    • Build without backdoors – Today it is easy to build devices with a backdoor inside, for surveillance or law enforcement purposes. However, this practice compromises the integrity and security of the end user. Manufacturers must ensure that no malicious code or backdoor is introduced and the device’s UDID is not copied, monitored or captured. Doing so will guarantee that when the device registers online, the process is not captured or vulnerable to interception, surveillance or unlawful monitoring.

The full potential of the IoT is still far from being realised, but as more IoT-related data leaks and cyber attacks make the headlines, manufacturers are coming under increasing pressure to improve the security of their products. If followed correctly, these six steps will not only allow providers of connected technology to remain competitive, but help to build an IoT which is more robust, better protected and safer for everyone.

The author of this blog is Thomas Fischer, threat researcher and global security advocate at Digital Guardian

Comment on this article below or via Twitter: @IoTNow_ OR @jcIoTnow

FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more
RECENT ARTICLES

Nozomi Networks and Tripwire announce strategic partnership

Posted on: September 17, 2021

Nozomi Networks Inc., the provider of OT and IoT security, and Tripwire, a global provider of security and compliance solutions for enterprises and industrial organisations, announced they have partnered to help organisations lower cyber risk with consistent security controls that span their IT, OT and IoT environments.

Read more

RightIndem deploys enterprise-grade conversational AI to simplify customer claims process

Posted on: September 17, 2021

RightIndem, an global insurance technology company, has worked with Bristol-based Amdaris to simplify its customer onboarding process via developing enterprise-grade conversational Artificial Intelligence experiences.

Read more