The following is an excerpt from our recent whitepaper, IoT Device Security, Built-in, Not Bolt-on: The 10 Security Factors Every Device Designer Should Consider. This guide was written to help you navigate security consideration before they become threats, so you can get back to designing the best IoT product or application possible.
The Rising Tide of Security Threats
Limited only by designers’ imaginations, the Internet of Things (IoT) is changing how people live. From medical devices and fitness trackers to tank sensors, smart thermostats, intelligent streetlights, water monitors, and more, the IoT is in more places than ever.
However, by relying on wireless networks, those hundreds of millions of IoT devices present a greater “attack surface,” making them tempting frontline targets for competitors, hackers, disgruntled employees, and other bad actors. Unfortunately, the tools and techniques we’ve applied to PC/smartphone platforms often don’t work well in the IoT, for several reasons:
- Resource Limitations – Small-footprint IoT devices typically have far less battery power, processing speed and memory. They lack the power and sophistication required to support traditional security measures.
- Data Complacency – Many companies view the data in their IoT networks as mundane and having little intrinsic value outside the organization. But many breaches are motivated by other factors, such as competitive advantage, social status, or revenge. The data isn’t the goal – the hack is.
- Availability of Tools– The tools and expertise to analyze and modify embedded/IoT devices are widely available – even to hobbyists.
- No Physical Access Required– One of the advantages of the IoT is that devices can be remotely configured/upgraded without the need for dispatching a truck. However, thanks to wireless connections, hackers don’t need physical access to devices such as USB or other I/O ports.
- Interface Differences– Embedded devices have no GUIs, and error messages can be as basic as a coded series of beeps or flashing lights. This is particularly true for security status and control functions allowing for security alarms to be overlooked.
- Hardwired Ports– These provide unfortunate opportunities for compromise. IoT solutions can’t simply implement a strong password over a TLS connection – the most common approach for PC/Internet applications.
IoT solutions need a different approach and the effort required to identify and mitigate unique security risks in embedded systems is often underestimated, if not overlooked entirely.