Short term gain, long term pain: Avoiding IoT security shortcuts

In the rush to be first to market many organisations overlook basic IoT security principles, putting users at risk. Thomas Fischer urges, take time to build robust security protocols into products, rather than trying to retroft them.

Short term gain, long term pain: Avoiding IoT security shortcuts
Short term gain, long term pain: Avoiding IoT security shortcuts

Internet of Things (IoT) technologies have developed in leaps and bounds over the last few years, with innovative solutions being developed and adopted at an unprecedented rate. Analyst firm, Gartner estimates that over four billion IoT devices will be installed by the end of 2016, with that number rising to 20 billion by 2020. In a market where connected things in the enterprise will lead to a spend of over £608 billion (US$ 868 billion) this year alone, huge developments are going to be apparent. However, it's critical that organisations developing IoT technologies – and even those selling them – ensure the products they sell are not a risk to the user's security.

You don't have to look far for examples of how this could potentially occur. Take a well-established IoT technology such as smart home meters or thermostats for instance. These offer a convenient way for people to remotely manage energy consumption in their homes via the internet. However, if criminals are able to access the network these devices communicate through, they can quickly establish usage patterns to ascertain when the house is/isn't occupied and plan a break-in accordingly.

The time and cost pressures on competing organisations to get their latest IoT products to market first can be a major contributor towards security flaws. Overly stringent cost control leads to simplified hardware that hinders basic principals of integrity and failover in the devices. Additionally, the drive towards user friendliness means many IoT devices are often either memory constrained or 'input' constrained, allowing for simple functionality, but leaving little room for robust security.

Time and again rushed release dates, overzealous cost-control and a blinkered approach to user convenience produces IoT devices not fit for purpose at launch. Companies that attempt to add protection retrospectively will have a task of enormous magnitude ahead of them, and there's a much higher chance mistakes will be made and vulnerabilities missed.

Six considerations for minimising risk in IoT devices

So what can organisations do to minimise IoT security risks in their products and services? Below are six areas for consideration:

• Physical security - The first aspect to consider is the physical security of the devices. Integrating tamper-proofing measures into the components so that they can't be decoded is essential. Additionally, ensuring that device data such as authentication data, identification codes and account information are erased if a device becomes compromised will prevent private data from being used maliciously.

• Build integrity - Building integrity into the construction and distribution process will make sure no malicious code or backdoor is introduced and the device “ID” is not copied or captured. This will help ensure that when the device registers OTA (over-the-air or wire), the process is not captured or vulnerable to Man-in-the-Middle attacks, causing fake information to be introduced or access to become circumvented.

• Secure coding - IoT developers must implement secure coding practices and apply them to the device as part of the software build process. Focusing on risk and vulnerability identification and implementing code reviews will palliate those risks.

• Authentication and device identity - Implementing proper and secure authentication with individual device identification will allow a secure connection to be built between the devices themselves and the backend control system and management consoles. If every device has its own unique identity, organisations will know the device communicating is indeed the device it claims to be.

• Encryption - When utilising IoT solutions, organisations must encrypt traffic flowing between devices and back end servers. Ensuring that the commands are encrypted and looking at command integrity via signing or a strong encoding is vital.

• Future proofing - Build the ability to easily upgrade the device so that bug and security fixes can be deployed in an easy and manageable method.

In the rush to be first to market, many organisations are overlooking basic IoT security principles, putting users at risk. By taking the time to build robust security protocols into products, rather than trying to retrofit them after the fact, organisations will protect themselves and their users from the growing number of cyber-criminals out there, just waiting to pounce.

Contributed by Thomas Fischer, principal threat researcher, Digital Guardian