Developing IoT devices? Four costly security mistakes and how to avoid them

IoT brings with it so much opportunity, but it also increases risk and widens the attack surface of your product and even your organisation, says Stuart Griffin, founding director and technologist, Consult.Red.

To put it into perspective, according to Gov.uk’s Cybersecurity survey 2020, almost half of businesses (46%) report having cybersecurity breaches or attacks in the last 12 months, this is up from a third in the previous year. Maintaining trust with customers is a key concern for CEOs and a big obstacle to successfully deploying IoT products to market.

In our many years of developing connected devices and systems, we’ve seen costly mistakes crop up time and again – here are some common ones with some pointers to help you avoid them:

1. Rushing to get an IoT product or solution to market:

In the race to get to a smart product to market, it can be tempting to think that security can be ‘left until last’ and bolted on at the end, when in fact security is something that needs to be planned at every phase of designing, developing and deploying your connected devices and systems. Security will be need to maintained throughout the product life and a well-planned approach will make this much easier.

When businesses engage in innovation without proper preparation, they can put their project, company and customers at risk. Preparation takes time and money, and the Proof of Concept (PoC) stage is essential in reviewing all aspects of security. But in rushing to get to market, we’ve seen PoCs developed too quickly with little to zero security consideration of implementation. It’s important that PoCs are developed with data encryption and end-to-end security in mind, even if not implemented. The feasibility of the design may pivot on the security solution. This is also the stage when compliance can generate complexities, as different devices may need different certification types.

2. Introducing insecure components into your IoT product.

When it comes to the build vs. buy decision, remember that the components you select can affect security and reliability. It’s important that you choose to work with a supplier that will disclose vulnerabilities to you throughout the entire lifecycle of the product. You’ll need to review security at every stage of the product development process moving forward, as the impact of poor risk and vulnerability management will be significant as your solution scales up.

3. Underestimating security issues when scaling IoT devices.

As solutions scale, security can get harder to manage. When all of the components are scaled to the size of an expected deployment, security risk and compliance should be a major focus. In the planning stages, you’ll need to consider how security will be maintained throughout the manufacturing and production process, in particular, how sensitive data such as key and software will be handled.

For one client we’ve installed hardware in the third-party factory to inject secure keys at the site of manufacture and programme signed code on each device. Your IoT security solution needs to be future-proof, allowing for updating and change in a safe, secure and low-risk way without requiring a whole new system.

4. Planning no security for smart devices not connected to the internet.

It’s a common myth that just because a smart device isn’t going to be connected to the internet (in other words it only interacts through Bluetooth or NFC or some other interface) it doesn’t need security. While not being connected to the internet does remove a big attack surface, it doesn’t mean a device is secure. It’s not just IP stacks that have vulnerabilities, a range of vulnerabilities have been found in Bluetooth, USB and NFC stacks. Developing exploits and scaling them is harder for these vulnerabilities but still relatively straightforward.

The author is Stuart Griffin, founding director and technologist, Consult.Red.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow

FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more
RECENT ARTICLES

Password managers go mainstream and reveal need for C-suite driven security consistency

Posted on: December 7, 2021

London, UK. – Bitwarden, an open source password manager for businesses and individuals, announced the results of its 2022 Password Decisions Survey. The survey, which polled more than 400 U.S. IT decision makers across a wide range of industries, shows that password managers are a near-defacto standard for organisations, with 86% reporting they are being put to use. This reflects

Read more

OCF celebrates pulse systems’ installation of newly certified IoT platform for smart lighting

Posted on: December 6, 2021

The Open Connectivity Foundation (OCF) has announced the first installation of the recently-certified low power IoT platform, from OCF member Cascoda, that combines the end-to-end security benefits of OCF and the low power, wide-area coverage advantages of Thread.

Read more