IoT Security – Need Some Basics

With more and more IoT products and services being announced by the hour and new engineers and developers racing to get products out the door, security unfortunately remains the last consideration.

We need to ensure that IoT leads to a security by design model. While everyone considers this one of the critical issues for both implementation and adoption for IoT, not many vendors are talking about the security model being used for product/service creation.

Some of the key elements to consider when securely designing a new IoT solution are sensors, applications and servers. Get your developers thinking about the following:

  1. What is the threat model? Once you have your product concept you need to understand and develop this model. Only then can you determine what security controls will be required to secure your solution.
  2. Do you need secure communications to your sensor/actuators? What did your threat model identify?
  3. Remove all embedded authentication or testing backdoors. Or better yet, train your developers to not use them at all. I am still surprised at how many device manufacturers use admin:admin as the user id/password combination today.
  4. Ensure that code analysis is conducted at each major development coding stage. This will ensure that vulnerabilities are quickly identified and eliminated prior to shipment.
  5. Perform end-to-end pen testing of your solution, both in the lab and in the field, to ensure you’re finding the bugs before the hackers do…..because they will!

Start-ups can easily setup these process improvements to ensure a stronger security model and use them as selling features for their solutions. Don’t be afraid to educate customers on all the effort you have invested to ensure the products/services being created are secure. At a minimum, your organization should look to implement an SDLC based on ISO 27034 Application Security as this will help to implement all the elements recommended.


About F Khan

Tech-junkie, with a special affection for security issues as they relate to telecom and enterprise, mobile, standards, social media, and gadgets.