You are here

3 big IoT security fears, and how developers can tackle them

public://pictures/Christopher-Null-CEO-Null-Media.png
Christopher Null, Freelance writer

The Internet of Things (IoT) is poised to become the biggest technological breakthrough of this decade, similar to how the smartphone earned a spot as the greatest triumph of the prior one. Many households will soon own a smart car, smart refrigerator, smart thermostat, or all of the above, finally bringing to life the sci-fi fantasies of the 20th century.

However, there is a mounting fear that this promised IoT utopia is actually becoming a cybersecurity Wild West. A dense crowd of companies large and small is attempting to “disrupt” this trendy space, and this dissonant group sparks security concerns among many IT professionals and consumers. If your business’ focus is IoT, your biggest enemy likely isn’t the competition; it’s the public’s anxiety, which is continually fed by news reports regarding the vulnerability of connected devices to cybercrime.

There are ways to protect your customers and your bottom line. Here are three of the scariest aspects of IoT, as well as steps developers can take to assuage these fears.

[ Is it time to rethink your release management strategy? Learn why Adaptive Release Governance is essential to DevOps success (Gartner). ]

1. A mixed bag of OSes means a mixed level of threat protection

The growth in the number of installed IoT devices will likely greatly outpace that of other devices in the coming years. Gartner predicts that the number of smartphones, laptops, and tablets in use worldwide will hit 7.3 billion units in 2020—but at the same time it figures there will be 26 billion IoT devices out there, all with a hodgepodge of operating systems and security levels.

Industry leaders like Apple, Google, Microsoft, and Samsung have launched their own IoT platforms, and very few feature operating systems that are compatible with one another. This variation is one of the IoT's most glaring security concerns.

“As every player with a stake in IoT is well aware, security is paramount for the safe and reliable operation of IoT-connected devices,” says Michel Chabroux, product line manager at IoT software company Wind River. “It is, in fact, the foundational enabler of IoT. Where there is less consensus is how best to implement security in IoT at the device, network, and system levels.”

Chabroux suggests a multilayered approach to security that must function at every point of an IoT device’s lifecycle, including secure booting, access control, firewalling, and updates. “Unfortunately, there is no ‘silver bullet’ that can effectively mitigate every possible cyberthreat.”

“The good news, though, is that tried-and-true IT security controls that have evolved over the past 25 years can be just as effective for IoT—provided we can adapt them to the unique constraints of the embedded devices that will increasingly comprise the networks of the future.” —Michel Chabroux, Wind River

A defensive strategy of looking at the security of the full stack of an IoT project is crucial. End-to-end encryption that protects data independent of channel encryption is a good, albeit tricky, start. Nevertheless, Justin Klein Keane, an IT security expert and major contributor to the Open Web Application Security Project (OWASP) IoT project, believes new tactics will have to be developed.

“IoT faces unique new challenges, such as physical transfer of device ownership, poor hardware security countermeasures, lack of UI, scale, and many-to-many, user-to-device authentication requirements. There are many more issues specific to IoT for which we don't have any prior experience or security patterns, and without awareness of these challenges, security efforts are often ineffective.” —Justin Klein Keane, OWASP contributor

[ Get Report: The Top 20 Continuous Application Performance Management Companies ]

2. Many IoT devices are terribly vulnerable

Beyond poor software platform compatibility and safety, the security hygiene of the actual devices in the IoT industry is a huge flaw, claims Jason Sabin, chief security officer of DigiCert, an SSL certificate provider. Many current devices, for example, lack a password-protected lock screen to halt unauthorized access. Some objects, like a “smart mattress cover,” don’t even have screens. Untangling how to properly secure these devices requires innovative solutions. Because cybersecurity is not usually a primary objective of many IoT manufacturers, threats aren’t often considered at the operational level.

“Many key security protections are missing as of now. These include strong authentication to devices and networks to make sure only authorized individuals can get data, as well as encryption of data at rest and in transit," Sabin said. "Similarly, many existing devices have not been built with firmware capable of being updated to meet evolving threats.”

Sabin points to a large collection of wearables he’s seen that automatically connect to nearby smartphones via Bluetooth. Elvis Collado, a security research at cybersecurity provider Praetorian, also worries about attackers rewriting firmware code and installing it on an IoT device.

“The attack vector varies from device to device, but improper key handling or firmware validation puts a great number of IoT devices at risk. If an attacker can program a backdoor into a device, whether it be remote or local, then it's game over.” —Elvis Collado, Praetorian

To solve this, a more holistic approach is required. “An IoT developer might apply encryption at the application layer, unaware of security flaws in the operating system, network, storage, or hardware layer that allow an attacker to easily bypass the encryption,” Keane notes.

Microsoft, Dell, ARM, Bosch, and many others are building IoT platforms for developers that will help devices speak a common language, Sabin says. “As part of these platforms, they are building in authentication and encryption via digital certificates and public key infrastructure. This helps ensure that developers provide key protections for IoT products before they become available to consumers.”

3. A huge IoT breach could be the next Heartbleed

From Blaster to Heartbleed, it’s clear that the tech industry often acts on security only after a major problem becomes evident. What all four of the above experts agree on is that you shouldn’t expect “them” to fix a problem before it happens.

“Builders make the best breakers,” Collado believes. “At Praetorian, we’re all developers and engineers. We just happen to focus on security. If you're a developer, try breaking your code from a non-QA perspective. Can you cause information to be leaked? Can you cause memory corruption? Do you have test code that was compiled into production that can be potentially abused? Can users access hardware debug interfaces in situations when they're not supposed to? This type of mentality shift will greatly improve the quality of your code from a security perspective.”

Developers need to work with manufacturers from the start to ensure that security is a top priority. “Security cannot be thought of as an add-on to a device, but rather as integral to the device’s reliable functioning,” Chabroux says. “Software security controls need to be introduced at the operating system level, take advantage of the hardware security capabilities now entering the market, and extend up through the device stack to continuously maintain the trusted computing base.”

Because IoT security needs to be multifaceted, testing at all levels of development is crucial for safety. Protecting customers should be a primary concern, not an afterthought.

“The best practice in IoT is a sound and thorough threat model and risk assessment at architecture and design time that clearly identifies areas of security concern and appropriately directs and apportions security countermeasures. It takes a seasoned professional to conduct this type of review, and, sadly, such professionals are in short supply and/or their criticality is undervalued.” —Justin Klein Keane, OWASP contributor

[ Get Report: Buyer’s Guide to Software Test Automation Tools ]