Internet of Things (IoT) technologies have developed exponentially over the last several years, with new solutions being developed and adopted at an unprecedented rate. Analyst firm Gartner Inc. estimates that over 4 billion IoT devices will be installed by the end of 2016, with that number rising to 20 billion by 2020. In a market where connected things in the enterprise will drive spending over $868 billion in this year alone, the impact – and risks – of IoT adoption are already becoming apparent. However, it’s critical for organizations that develop IoT technologies to ensure that the products they sell are not a risk to end users’ security or privacy.
With IoT spending so high and demand only increasing, vendors are rushing to be the first to market, which results in security being an afterthought and users being put at risk. Below are six areas for manufacturers and developers to consider to minimize the risk and improve the security of IoT devices.
- Physical security - Physical security of connected devices is paramount. Integrating tamper-proofing measures into device components should be first and foremost on developers’ minds. This ensures that they can’t be decoded. Additionally, ensuring that device data related to authentication, identification codes and account information are erased if a device becomes compromised will prevent private data from being used maliciously. Remote wiping capabilities should be implemented if PII is stored on the device.
- Build without backdoors – Today it’s very easy to construct a device with a backdoor inside it – to be used for surveillance or law enforcement purposes in times of need. However, this should not be a practice as it compromises the integrity and security of the end user. Manufacturers should ensure that no malicious code or backdoor is introduced and the device’s UDID is not copied, monitored or captured. This will help ensure that when the device registers online the process is not captured or vulnerable to interception, surveillance or unlawful monitoring.
- Coding securely - IoT developers should implement secure coding practices and apply them to the device as part of the software build process. Focusing on QA and vulnerability identification/remediation as part of the development lifecycle will streamline security efforts while mitigating risk.
- Authentication and device identity - Implementing proper and secure authentication with individual device identification will allow a secure connection to be built between the devices themselves and the backend control system and management consoles. If every device has its own unique identity, organisations will know the device communicating is indeed the device it claims to be. This requires individual device identification based on solutions like PKI.
- Encryption - When utilising IoT solutions, organisations must encrypt traffic flowing between devices and back end servers. Ensuring that the commands are encrypted and looking at command integrity via signing or a strong encoding is vital. Any sensitive user data collected by IoT devices should be encrypted as well.
- Streamline the update process - Build the ability to easily upgrade the device so that bugs and security updates can be deployed in an easy and manageable way. Sometimes firmware updates can be tricky if they’re not configured correctly from the start. Unfortunately sometimes manufactures build the devices to not receive firmware updates at all. Ensuring a consistent process that allows for flexible firmware deployment will allow developers to create new models while distributing security fixes universally across product lines.
It’s obvious that IoT technology is here to stay; but as more IoT-related compromises and data leaks affect consumers, manufacturers will face increasing pressure to harden the security of their products. By following these steps, providers of connected technology can ensure that they remain competitive into the future as IoT becomes commonplace and device security becomes a top consideration for buyers.
