The great IoT threat: how to avoid common security pitfalls during application development
For entrepreneurs and big businesses alike, those figures are enticing enough to inspire the creation of a seemingly ‘new’ connected product, service or feature.
However the race to be first to market can result in quick and hasty decisions. Although the IoT is still young, there is already growing concern that poor application development and design are too often the rule rather the exception. With no real limitations to the kinds of historically "dumb" devices which can be made "smart," many IoT security failures can be traced back to poor decisions about the type of ‘smart’ features implemented, how they are implemented and the scope in which they will be used. However, IoT companies can learn something from the security advancements that have been made in the IT industry over the last 20+ years.
The consumerisation of IT means that technologies designed and marketed to consumers often find their way into workplaces. It is nearly impossible to know how your technology will be applied once it has been marketed and sold. In an age where data breaches are making headlines on a daily basis, it’s potentially disastrous for a business to not build in the proper security measures within product development.
The IoT brings with it immense opportunity, but it could quickly be brought to its knees if manufacturers fail to consider security implications in their rush to hit the market place with ‘the next big thing’. For business application developers, the following will help ensure security remains a priority throughout the development process:
#1 Secure your apps by design
Before beginning any app development, designers must weigh up the pros of ‘connected’ features against the cons of the security holes they open up. IoT applications must be designed to assess the security and privacy implications of connected features like messaging and social media integration upfront. An email proxy requires clear and concise directions on secure configuring, with strong administrator credentials, shielding it from low-level attacks and port scans.
These basic protections will then influence other design decisions. A rigorous assessment of the security implications of smart features may increase the cost of development, but will save time and cost of flaws discovered down the road.
#2 Protect from inception to deployment
Connected device makers should also ensure any software updates or modification should require administrators to authenticate to the device first and require the use of signed executable files to verify the integrity of the software that is being installed. Devices must be able to register activity which could indicate an attack. Robust logging features are a must if administrators are required to recover compromised systems.
In today’s IoT world, it’s not enough to require end-users to use their initiative and set long passwords. There’s a ‘set and forget’ mentality among users which is not sufficient for ensuring around-the-clock security.
#3 Avoid ‘security through obscurity’
Another common mistake at the development phase is the dangerous ‘security through obscurity’ approach, i.e. the assumption that hackers won’t be interested in your product. Products must be designed with the assumption that they will be purchased, dissected and studied. Security shortcuts such as embedded private keys or weak authentication might save time and speed up deployment, but a global IT ecosystem can quickly become a global botnet network.
#4 Don’t make your supply chain the weakest link
You can’t underestimate the importance of screening supply chain partners closely, to make sure contracts and service provider agreements protect you. By using emerging hardware security technologies, companies can remove the risk of malicious vendors or manufacturers. These technologies allow all secret keys or intellectual property to be secured and verified directly on the chip. This same approach can also protect you against device cloning or counterfeiting.
#5 Put safety first
While great security is an absolute must have, companies must also prepare for the failure of their security. It’s not enough to just have great external security, systems must be designed with compromise in mind. Traditional IT systems have just started doing this by encrypting information inside databases in the event that it is compromised.
IoT devices should ensure that critical functions of the device cannot be affected or compromised by ‘smart’ features. For example, as cars become more connected, manufacturers should separate systems to ensure that a hacker doesn’t get the "keys to the kingdom" so to speak. For example, separating air bag deployment systems from infotainment systems in a car.
Unfortunately, building an IoT product is not as simple as just connecting your product to the internet.
And while it is tempting to rush to try to be first to market, quicker does not mean safer. The security and privacy issues raised by connected products are often subtle and complex. Any business looking to design and deploy applications must wrap a robust security policy around every decision.
For companies with limited resources, IoT platforms-as-a-service can address many of the security and data integrity issues that riddle poorly designed IoT products. Such tools let you streamline secure communications based on industry-standard encryption protocols and extend fine-grained user provisioning to IoT products. This will also improve time to market, whilst also avoiding a rude awakening in the future.
About the author:
Calum Barnes is Product Owner, Xively by LogMeln — https://secure.logmein.com