Page 49

EETE JAN 2016

alst word adta cesurity The great IoT threat: how to avoid common security pitfalls during application development By Calum Barnes The future potential of the Internet of Things has been well documented. Cisco Systems estimates 25 billion devices will be connected to the internet by the end of this year, while IDC believes $7.3 trillion in revenue will be generated by IoT components by 2017. For entrepreneurs and big businesses alike, those figures are enticing enough to inspire the creation of a seemingly ‘new’ connected product, service or feature. However the race to be first to market can result in quick and hasty decisions. Although the IoT is still young, there is already growing concern that poor application development and design are too often the rule rather the exception. With no real limitations to the kinds of historically “dumb” devices which can be made “smart,” many IoT security failures can be traced back to poor decisions about the type of ‘smart’ features implemented, how they are implemented and the scope in which they will be used. However, IoT companies can learn something from the security advancements that have been made in the IT industry over the last 20+ years. The consumerisation of IT means that technologies designed and marketed to consumers often find their way into workplaces. “Building an IoT product is not as simple as it might seem and quicker never means safer”, says Calum Barnes, Xively Product Owner at LogMeIn. It is nearly impossible to know how your technology will be applied once it has been marketed and sold. In an age where data breaches are making headlines on a daily basis, it’s potentially disastrous for a business to not build in the proper security measures within product development. The IoT brings with it immense opportunity, but it could quickly be brought to its knees if manufacturers fail to consider security implications in their rush to hit the market place with ‘the next big thing’. For business application developers, the following will help ensure security remains a priority throughout the development process: #1 Secure your apps by design Before beginning any app development, designers must weigh up the pros of ‘connected’ features against the cons of the security holes they open up. IoT applications must be designed to assess the security and privacy implications of connected features like messaging and social media integration upfront. An email proxy requires clear and concise directions on secure configuring, with strong administrator credentials, shielding it from low-level attacks and port scans. These basic protections will then influence other design decisions. A rigorous assessment of the security implications of smart features may increase the cost of development, but will save time and cost of flaws discovered down the road. #2 Protect from inception to deployment Connected device makers should also ensure any software updates or modification should require administrators to authenticate to the device first and require the use of signed executable files to verify the integrity of the software that is being installed. Devices must be able to register activity which could indicate an attack. Robust logging features are a must if administrators are required to recover compromised systems. In today’s IoT world, it’s not enough to require end-users to use their initiative and set long passwords. There’s a ‘set and forget’ mentality among users which is not sufficient for ensuring around-the-clock security. #3 Avoid ‘security through obscurity’ Another common mistake at the development phase is the dangerous ‘security through obscurity’ approach, i.e. the assumption that hackers won’t be interested in your product. Products must be designed with the assumption that they will be purchased, dissected and studied. Security shortcuts such as embedded private keys or weak authentication might save time and speed up deployment, but a global IT ecosystem can quickly become a global botnet network. #4 Don’t make your supply chain the weakest link You can’t underestimate the importance of screening supply chain partners closely, to make sure contracts and service provider agreements protect you. By using emerging hardware security technologies, companies can remove the risk of malicious vendors or manufacturers. These technologies allow all secret keys or intellectual property to be secured and verified directly on the chip. This same approach can also protect you against device cloning or counterfeiting. #5 Put Safety first While great security is an absolute must have, companies must also prepare for the failure of their security. It’s not enough to just have great external security, systems must be designed with compromise in mind. Traditional IT systems have just started doing this by encrypting information inside databases in the event that it is compromised. IoT devices should ensure that critical functions of the device cannot be affected or compromised by ‘smart’ features. For example, as cars become more connected, manufacturers should separate systems to ensure that a hacker doesn’t get the “keys to the kingdom” so to speak. For example, separating air bag deployment systems Calum Barnes is Product Owner, Xively by LogMeIn - https://secure.logmein.com/ www.electronics-eetimes.com Electronic Engineering Times Europe January 2016 49


EETE JAN 2016
To see the actual publication please follow the link above