Time for a wake-up call: The Insecurity of Things

By 2020, companies will be spending about €250 billion on the Internet of things, with half of that entire spending coming from the manufacturing industry, according to the Boston Consulting Group.  Although great for productivity, the IoT is not without its risks and in its relatively short life it has already developed a poor reputation when it comes to security. Sadly, this is justified. Last year, thousands of IoT devices were manipulated to create botnets in some of the largest DDoS attacks ever seen.

Gartner estimates that over 20 billion IoT devices will be in the marketplace by 2020, so if even a fraction of these devices are unsecured it adds up to a big problem. Despite high-profile IoT attacks frequently making global headlines, the vast majority of us remain dangerously unaware of the security risks these new IoT devices pose.

As connected devices increasingly pervade all aspects of our lives, the burden of properly securing them must fall squarely on product manufacturers and software developers. After all, it makes sense that those developing and profiting from IoT technology ensure the products they sell pose no risks to end user security or privacy.

What is the best way to address the challenge of IoT security? Manufacturers are already finding that their organisational structures need to be assessed and modified to meet the requirements and challenges of IoT. With this in mind, below are six key areas that security efforts should focus on, in order to permanently improve the security of IoT devices and reduce the risk:

Identity management – Proper and secure authentication with individual device identification allows a secure connection to be built between the devices themselves and the backend control systems. If every device has its own unique identity, organisations will be able to confirm that the device communicating is indeed the one it claims to be. This requires individual device identification based on solutions like PKI.

Encryption – When utilising IoT solutions, organisations must encrypt traffic flowing between devices and backend servers. Ensuring that the commands are encrypted and looking at command integrity via signing or a strong encoding is vital. IoT devices should also encrypt any sensitive user data collected as well.

Physical security – Physical security is paramount. Integrating tamper-proofing measures into device components should be at the forefront of all developers minds as it ensures they cannot be decoded. Additionally, ensuring device data related to authentication, identification codes and account information are erased if a device becomes compromised will prevent private data from being used maliciously.

Firmware capabilities – Unfortunately, in their rush to get products to market, manufacturers sometimes build devices with no firmware update capability at all. Ensuring a consistent process that allows for flexible firmware deployment will allow developers to create new models while distributing security fixes universally across all existing product lines.

Secure coding – IoT developers must implement secure coding practices and apply them to the device as part of the software build process. Focusing on QA and vulnerability identification/remediation as part of the development lifecycle will streamline security efforts while helping to mitigate risk.

No backdoors – Today it is easy to build devices with a backdoor inside, for surveillance or law enforcement purposes. However, this practice compromises the integrity and security of the end user. Manufacturers must ensure that no malicious code or backdoor is introduced and the device’s UDID is not copied, monitored or captured. Doing so will guarantee that when the device registers online, the process is not captured or vulnerable to interception, surveillance or unlawful monitoring.

The IoT still has a lot of growing to do. This growth process, however, needs to be underpinned by a posture of security by design. If followed correctly, these six steps will not only allow providers of connected technology to remain competitive, but also help to build an IoT that is more robust, secure and safer to use.

By Thomas Fischer, threat researcher and global security advocate at Digital Guardian