Building Security Into IoT Development Is Critical

Posted on by Rook Security

By Rushabh Vyas

More and more devices connected to the Internet of Things are being used across the world every day. Why? They’re more available than they were before, and the hardware and applications involved in networking devices are inexpensive. Also, people want convenience. I mean who wouldn’t want to be able to feed or watch their pets from work, or even your child’s soccer game?

IoT SecurityAs with anything, the convenience factor offered by IoT devices can also come with a sacrifice in security. Often times, engineers or developers of IoT devices are not trained in security or secure coding. Additionally, manufacturers of many of these devices do not have systems in place to deploy software updates or patching paths. Once they have realized the revenue from the sale of a device, there is no incentive for them to continue to monitor and fix security issues identified within their devices. Given the lack of technical expertise of most end users, updates and proper location identification of IoT devices is a major concern.

End users typically just want to plug a device in and go—without understanding the implications of how and where they install the device. Although, some of these devices do have auto-updates, most do not. If a device is left unpatched for a long period of time, a greater percentage of vulnerabilities will be identified. Placing an unsecured IoT device on the same subnetwork as an end-user’s home PC and mobile devices can allow an attacker to easily pivot to attacking these more valuable assets.

Another reason hackers may want to target IoT devices is because if they find a vulnerability in one device, it will very likely apply to many other devices. Some IoT devices are just like small Linux computers. For example, a hacker could use them to conduct DoS attacks.

Some of the common problems I’ve seen with IoT devices are: 

  • Hardcoded passwords
  • Code injection
  • Unsecure API
  • Web application vulnerabilities (see OWASP)
  • Lack of encryption in communication

There are some guidelines to securing IoT devices. For example, the OWASP guidelines for IoT aim to “enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies.” If you are designing a web application, OWASP also has information related to that on their website. For engineers and developers, learning secure coding also helps. You should also keep in mind the attacker's point of view. Think about the ways that someone could abuse the device’s functionality. And work to close those doors.

Rushabh Vyas is a Security Analyst at Rook Security, a global IT security solutions provider.

Rook Security

, Rook Security

Internet of Things

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community