By Tu Le
When I’m not talking to software producers, I spend most of my other time talking to hardware producers like the Cisco’s of the world. Depending on who you talk to - whether it is IDC or Gartner or others - they will show big numbers with bold predictions about the Internet of Things (IoT). A lot of these big numbers are driven by software - it is becoming an integral part of our life as it is EVERYWHERE. It is what makes the world go 'round, and I am seeing hardware vendors slowly transforming themselves into software companies. Of course, anything with big numbers always has big challenges – and for hardware producers, one of the biggest challenges and sources of anxiety is security.
Today, there are a huge number of IoT devices that run on a variety of hardware and software configurations. Most IoT devices run autonomously - for example, the Nest Thermostat(r) has a feature where it can sense your presence and turn on the lights when you walk into the room. Many IoT devices are playing mission-critical roles with very limited resources; not enough to protect themselves. A common theme among all of these IoT devices is that all carry security concerns.
In my experience in working with IoT vendors, it is critical to educate these producers and their customers on security. Security experts will always tell you that security is most effective if it is designed into the product and applied in layers. In the past, hardware vendors normally would rely on physical security but as digital is bridging over into the physical world, security plays an enormous role in both hardware and software. IoT is considered an ecosystem, and hardware vendors must consider applying security in four key areas:
Device security is the first line of defense to ensure protection against external threats that can compromise the integrity of the device. For example - brute force, impersonation, and denial of service (DoS) are all common threats that come from device security. By applying security at the device level, the system will only run trusted software during the startup or initialization process.
Operating System (OS) Security
Most IoT devices run on a high-level operating system such as Android or embedded Linux. Threats in this area are commonly caused by a known vulnerability like buffer overflow, cross-site scripting, SQL injection, error configuration such as simple password, or improperly obtained higher permission access. There are many approaches to OS security to protect the system from external intrusions, for example:
- Enable the user and/or system to regularly apply OS patch updates
- Scrutinize all incoming and outgoing network traffic through a firewall
- Create secure accounts with require privileges
- Use containers to sandbox the application
Stay tuned for part 2 of this IoT security series where we'll cover the application and network layers.
More IoT Security Resources:
- The Hidden Truth about Application Security: There are No Shortcuts [Blog]
- Myth Buster: Dongles Provide the Most Secure Software Protection [Blog]
- Strategies for Maximizing Application Protection [Blog]
- How Security Fits into your Software Monetization Strategy [Video]
- Protecting your Software Revenue Stream with Tamper Resistant Applications [Video]
- Minimize Software Piracy Risk & Maximize Revenue with Security Layer Protection [Video]
- IoT Panel, Part II: Security for Silicon, Software, and Sensors [Webinar]
- Tamper Resistant Application Fortifies Your Defense Against Hacking [White Paper]