4 Tips for Implementing "Security By Design" in the IoT Era

Having spent last week at CES2015, it is clear that the Internet of Things is no longer the future: it is the present. Technology is wearable, sensing, embedded, and always connected.  This year’s CES reveled in no uncertain terms, the Internet of Everything is here to stay.

But this wave is rising as we exit “year of the mega breach,” and 2015 was ushered in with the Sony hack, which in the ‘Internet of Things’ era, set the stage for a perfect security storm: On one hand, IoT leads to data collection from exponentially more data sources in the most private places and from the most critical infrastructure. On the other hand, hackers have the means and the motivation to gain access to any network, even the most secured ones.

In her CES speech about Security and Policy, Edith Ramirez confirmed what we all know by know - 2015 is going to be the year of IoT hacking:

“As we embark on a new year, observers have made a number of predictions for the IoT.We are told that, in 2015, the world will have 25 billion connected devices;1 the number of smart home devices will reach nearly 25 million;2 and IoT software platforms will “become the rage….I believe there are three key steps that companies should take to enhance consumer privacy and security and thereby build consumer trust in IoT devices: (1) adopting “security by design”; (2) engaging in data minimization; and (3) increasing transparency and providing consumers with notice and choice for unexpected data uses”

The ubiquity of IoT requires a shift to a “Security by Design” era.  So...what exactly does that mean?  It means that IoT device makers need to become security conscious and embed security into their wares.

Let’s not have 2015 be “The year the IoT breach…”  We can prevent this from occurring, if we act now.

Here are a few guidelines manufacturers can take for deploying “security by design” mindset to any IoT / Embedded / Wearable solution:

  1. As much as possible, avoid exposing embedded/Internet of Things (IoT) products directly to the Internet.  Deploy different methodologies to isolate the device from being accessible directly by anyone on the Internet, for example by leveraging VPN servers.
  2. Stat with security! Every startup in the IoT arena should consider the security aspects of the product as of day 1. The device and its firmware should have security incorporated into the initial design.
  3. Involve and educate consumers about security and build mechanisms into the device that will help consumers make the right decisions regarding privacy and security. Hackers count on consumers to make their job easy by engaging in insecure behaviors. Help your consumer overcome these believes and build product that empower the consumer to identify hacker’s activities and protect them against it.
  4. Perform a thorough code review - if you are leveraging Open Source code then you need to take responsibility for the security and integrity of that code

 

Amit Serper
About the Author

Amit Serper

Amit Serper is Principal Security Researcher at Cybereason. He specializes in low-level, vulnerability and kernel research, malware analysis and reverse engineering on Windows, Linux and macOS.