Effective IoT security must begin at the drawing board

Thomas Fischer, global security advocate at Digital Guardian

Thomas Fischer, global security advocate at Digital Guardian, assesses the role security will play in the IoT and argues that manufacturers must return to the drawing board to find a sustainable, long-term solution.

For a while now, the issue of IoT security has been a growing problem that few want to face up to. The technology industry is renowned for its fast pace and the advantages of being first to market can often be significant, so it’s no surprise to see new IoT products being released at a furious rate. Unfortunately, this rush to market can often result in products and devices that are vulnerable to cyberattacks.

For manufacturers, the IoT is a particularly difficult nut to crack. In addition to time pressures, the demand for user friendliness – combined with highly stringent cost controls – means that, even if the will is there, finding a fast, cost-efficient security solution can be a challenge.

One major problem is that many IoT devices still use extremely cheap processing units akin to something that would have been used several decades ago, only on a much smaller scale. These kinds of processors lack both the memory capacity and input mechanisms required to conduct the regular security updates and patches that would normally take place on PCs and mobile phones.

With the lifespan of some IoT devices now expected to exceed ten years, the security issue this presents is a growing cause for alarm. The threat landscape is a highly dynamic environment and devices that can’t be patched are vulnerable not only to the threats that are out there today but also to all threats that emerge after the device has gone to market.

A new approach to IoT security is needed

Fortunately, organisations are starting to take note. The IoT Security Foundation is driving the creation of new standards and enlisting companies to work together to improve the overall security of IoT devices from the ground up. Elsewhere, the GSM Association (GSMA) has recently produced a set of major guidelines around IoT security best practice.

But in order for businesses to make meaningful security improvements, changes must take place at the design phase, not as an afterthought prior to launch. Security must also be considered from a variety of different angles including software, hardware and the network if it is to be effective.

1) Secure software: Building new devices on a foundation of robust and secure software is critical. Best practice encompasses a variety design considerations including:

  • Proper and secure authentication for each individual device, so organisations can quickly confirm that any individual device is the one it claims to be
  • The use of secure coding practices, focusing on QA and vulnerability identification as part of the development lifecycle in order to streamline security and mitigate risks
  • Industry standard encryption of all data flowing between the IoT device and backend servers, meaning that even if the data is intercepted, it is meaningless without the correct encryption key
  • Making provision for the deployment of new firmware on the device over time. Moving to more advanced and versatile processing units will allow device software to be updated and protected against new vulnerabilities as they are discovered, greatly increasing security and ultimately saving money over time
  • Ensuring all backdoors are closed. Building devices with a backdoor has become alarmingly commonplace, but it compromises the security of the end user. Closing such backdoors ensures critical information such as device UDID is not copied, monitored or captured without the manufacturer’s knowledge

2) Secure hardware: Physical security goes hand in hand with software security. Integrating tamper-proofing measures into device components means they can’t be accessed and decoded without permission. Physical switches or breakers that can allow the user to physically turn off certain features should also be assesses. For example, a physical mute button could be added to devices with microphones, and hard upper and lower limits could be added to devices controlling temperature. Furthermore, ensuring sensitive data related to authentication and account information is erased in the event of a device being compromised will help to prevent it being extracted for malicious use at a later date.

3) Security on the network: Should an IoT device become compromised, the potential damage done can be significantly reduced by the presence of security partitions on the network. This means the infected device can be quarantined away from other critical systems and also cut off from the Internet in order to prevent remote data exfiltration.

It’s also important to use secure protocols like HTTPS for data exchange between the IoT device and the backend management or storage solution. Manufacturers must also make strong authentication methods available and actively advise end users to change any passwords or keys from the default credentials.

Security teams must also understand the needs of the business

Building secure IoT devices is becoming increasingly important, but it’s also very easy for security teams to be so caught up in their own goals and objectives that they fail to align properly with the wider needs of the business. The end result is usually systems and devices that are highly secure but also difficult to use and unappealing to the end user.

A good security team must assess the wider business needs around the IoT and come at problems from a mutually beneficial angle. Working alongside the business, rather than against it will almost always result in more effective, more secure IoT devices and infrastructure.

Sadly, the harsh reality of having so many vulnerable IoT devices already out in the wild is that breaches and attacks are an inevitability. However, as the drive for better security gains momentum and new devices start coming to market with built-in security features, future product cycles should see a marked increase in the overall level of IoT security for us all.

The author of this blog is Thomas Fischer, global security advocate at Digital Guardian

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow

RECENT ARTICLES
local retailer taking care his business

Facilio launches refrigerant tracking and leak detection software

Posted on: April 19, 2024

Property operations software firm Facilio has announced the launch of its ready-to-deploy refrigerant tracking and leak detection software solution. This is meant for all grocery and convenience store operators who want to implement an automatic leak detection system to identify and mitigate potential refrigerant leaks to achieve 100% compliance.

Read more
woman holding her finger balance with coins

Quantinuum raises US$300m in equity funding

Posted on: April 18, 2024

Honeywell has announced the closing of a US$300 million equity fundraise for Quantinuum at a pre-money valuation of US$5bn. The round is anchored by Quantinuum’s partner JPMorgan Chase, with additional participation from Mitsui, Amgen and Honeywell, which remains the company’s majority shareholder. This investment brings the total capital raised by Quantinuum since inception to approximately

Read more
FEATURED IoT STORIES
What is IoT answer

What is IoT? A Beginner’s Guide

Posted on: April 5, 2023

What is IoT? IoT, or the Internet of Things, refers to the connection of everyday objects, or “things,” to the internet, allowing them to collect, transmit, and share data. This interconnected network of devices transforms previously “dumb” objects, such as toasters or security cameras, into smart devices that can interact with each other and their

Read more
iot adoption

The IoT Adoption Boom – Everything You Need to Know

Posted on: September 28, 2022

In an age when we seem to go through technology boom after technology boom, it’s hard to imagine one sticking out. However, IoT adoption, or the Internet of Things adoption, is leading the charge to dominate the next decade’s discussion around business IT. Below, we’ll discuss the current boom, what’s driving it, where it’s going,

Read more

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more
IoT Now Enterprise Buyers’ Guide Which IoT Platform 2021

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more
CAT-M1 vs NB-IoT

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more
internet of things isometric illustration of connected things

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more
iot challenges and issues

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more