As the number of connected devices continues to soar, IoT security threats become ever more important. Let’s look at the security fundamentals for IoT.
By 2020, an estimated 20 billion connected devices will be out there. That’s almost three for every living person on the planet. As more we continue to connect up our lives and business processes to the Cloud, securing that data has never been more important.
The reasons lie at both ends of the security spectrum. Critical infrastructure is now becoming connected in many cases for the first time, while at the consumer end, users who know almost nothing about IT security are now hooking up their personal data and even their homes.
Vulnerabilities a serious business
Last year, some major IoT security issues made headlines around the world. The Mirai botnet attack exploited default and hardcoded passwords to bring down many websites. DNS provider Dyn lost a significant number of clients as a result.
Cameras were also targeted. DDoS attacks were made using more than 500,000 internet-connected cameras, while the Persirai botnet attacked more than 100,000 devices.
BlueBorne was a vulnerability in Bluetooth implementations which could allow a hacker to gain control of devices and either steal information from them or use them for a man-in-the-middle attack. By the time it was disclosed to the public, Windows, Linux, Android and iOS had all made fixes available.
Read more: Lessons learned from Blueborne
It’s all in the implementation
First things first, Bluetooth is an extremely secure protocol by design. Over the last ten years, Bluetooth vulnerabilities have been of low severity and, crucially, haven’t allowed hackers to execute code remotely.
BlueBorne managed to be such a dangerous threat by exploiting the way that operating systems implement Bluetooth, and this gets to the crux of the problem. The most secure technology still relies on proper implementation to be effective.
How to improve your IoT security
Srini Vemula, global product management leader and security expert at SenecaGlobal, spoke to Network World about how enterprises can boost their IoT security. In amongst his advice, there’s some good reminders for developers of connected products.
Build devices based on security-hardened platforms and adopt standard security controls. Select the most secure platform as your base on which to develop. Any connected product’s architecture should support the ability to patch, quickly and at scale.
Make security an integral and easy-to-understand part of using the product. Many buyers of modern connected devices, whether consumer or B2B, aren’t necessarily thinking about security as their primary concern. By incorporating it into the workflow, you’re helping the end customer help themselves.
Keep informed, and act. By keeping abreast of security news, you’re able to quickly act on any vulnerabilities that may be identified and patch your product before customers even realise there’s an issue.
Striking the right balance
While we are fans of the 'build first, iterate later' approach of lean product development, security must not be compromised. Including appropriate security into products can seem at odds with a rapid development mindset.
> Read more: Security of connected medical devices
The best strategy is to always decide upon the most appropriate security level first, and only design the product’s features afterwards. By taking a feature-first approach to product development, security has to be retrofitted. While that’s often possible to achieve, it can lead to unexpected vulnerabilities and difficulties.
As connected products become an ever more integrated part of our lives, it’s never been more important to consider security first.
This is even more important when dealing with data-only service providers. Remember that even when the data itself is encrypted, the meta data can still tell a story that is useful to potential troublemakers.