The Security Dilemma of IoT Devices and Potential Consequences

By : Tim Mackey | Monday, December 14 2020 - 12:40 IWST

Tim Mackey, Principal Security Strategist, Synopsys Cybersecurity Research Centre (CyRC) (Photo by Synopsys)
Tim Mackey, Principal Security Strategist, Synopsys Cybersecurity Research Centre (CyRC) (Photo by Synopsys)

INDUSTRY.co.id - Over the last decade, we have experienced a surge in consumer-grade connected products – from thermostats and kitchen appliances to baby monitors and smart bulbs. While these are great additions for consumers, the convenience of a connected world can come with a trade-off in security and privacy. Hackers are finding more ways to gain access to personal information by exploiting weaknesses in everyday devices.

What is the problem with connected devices?

An example is in order. Let’s say, you just bought a new fancy smart internet-connected refrigerator. Typically, a fridge should last for about 10 years or so. This is a reasonable expectation that consumers have for such a large purchase. It’s rare for hardware, like that in a refrigerator, to need regular updates. Software on the other hand often needs updating – a situation the manufacturer may not fully account for over the lifespan of their device. In other words, they know how to make hardware work (the fridge) very well, but they may not be accustomed to thinking about how software (the smart capabilities) works.

The cybersecurity issues that we all live with today and that can be fixed with an app update or something that’s being pushed out may not necessarily be a priority within the executive teams at hardware companies. However, what does it mean to have designed something 10 years ago to the best practices of 10 years ago, but now need to deal with today’s cyber threats? 

Manufacturers need to build security into their IoT devices

Manufacturers of smart IoT devices must understand that when designing a product, they should take into consideration the velocity of privacy expectations, especially if the hardware is expected to have a very long lifespan.

Consider the situation where a device has a microphone, a video camera or a speaker in it. We have seen instances over the last couple of years where malicious organisations have taken over baby monitors and DVRs to build botnets. We have seen incidents where people who are with the customer support organisation for the provider of a digital personal assistant have listened in on customer conversations or seen the videos of the conversations. We’ve even had court cases involving a murder where the prosecution went and subpoenaed the background noise recordings from an Amazon Echo device. Through these episodes, we know that these smart devices are in an always-on situation and what can be done with that data becomes a real consideration.

Where is the value for manufacturers?

From a security perspective for manufacturers of such devices, that means that you need to look at security and privacy as being two sides of the same coin. To ensure security, your team will have to fundamentally assess what the real risks and ownership are for that piece of software. You are likely not going to get it absolutely right from the start, but your consumers are going to expect that you get it right. And you need to be flexible. You can’t go and say “but I adhere to this standard” because while that standard may have been completely legitimate and “best practice” at the point in time that you created that piece of software, standards have a history of needing to be amended and updated.

Ultimately for any business, it is all about brand value. If you are in the news for the wrong reasons, it is not going to help your shareholders. It is also not going to help your future business if you are known as supplying insecure products. There is no amount of public relations that can be carried out to offset having a data breach take place due to a cybersecurity oversight, especially given the competitive landscape out there.

So what’s next?

Manufacturers of connected devices are advised to invest in cybersecurity up front. Invest in creating threat models for how your products could be compromised and understand what the risks are in the software that’s being created and operated within your business. Since threat models reflect the current threat landscape, they will need to be continuously updated and will need to include an understanding of the life cycle of whatever product the software is powering. Your customers expect that your products are reliable, and the software is robust.

Aim to set a bar that is far greater than any piece of hardware that you might have designed. And particularly, you need to recognise that software has its own supply chains, so the security of your software extends beyond your in-house development teams. There is a very strong probability that your vendors and third-party services are also using code from external sources, and that code could itself have weaknesses or vulnerabilities disclosed against it. If you don’t pay attention to the combined custom code and code pulled from third-party libraries, you could be in a position where you get blindsided by an unforeseen vulnerability.

IoT security is a journey, not a destination

At the end of the day, there is no way to build a perfect piece of software. Instead, focus on how you would properly secure the software you create today, and how you will continue to support and patch it as new security issues arise. Manufacturers need to keep up with security best practices and embed security mechanisms throughout their software development process. Most attackers are looking for easy targets. If the software powering your products is difficult to compromise, chances are good that these criminals will move along to other potential targets and your customers will welcome your cybersecurity efforts.

News Comment

Today's Industry

Salat Island is become a conservation area for Orangutan by the management of PT Sawit Sumbermas Sarana Tbk (SSMS). (Foto: Public Relations of PT Sawit Sumbermas Sarana Tbk)

Sabtu, 24 Juli 2021 - 12:15 WIB

Sawit Sumbermas Sarana Preparing RSPO Virtual Tour for August 2021

PT Sawit Sumbermas Sarana Tbk (SSMS), a public firm of palm oil firm listed in the Indonesia Stock Exchange (IDX), plans to hold a RSPO Virtual Tour on August 2021. It is a measure to support…

Minister of Religious Affairs Yaqut Cholil Qoumas delivers a statement in a press conference on Thursday (22/07). Photo by: YouTube channel of Presidential Secretariat.

Jumat, 23 Juli 2021 - 19:29 WIB

Indonesia Receives 8 Million More Doses of Sinovac Vaccine

Indonesia received eight million more doses of Sinovac COVID-19 vaccine in the form of bulk vaccine on Thursday (22/07).

The Opening of Technical Education and Training for Interpreting batch three held online, Thursday (22/07). (Source: Screenshot from Zoom Application)

Jumat, 23 Juli 2021 - 17:22 WIB

Cabinet Secretariat Holds Online Interpreting Training

Cabinet Secretariat, Thursday (22/07), opened the third batch of Technical Education and Training for Interpreting held virtually.

Minister of Manpower Ida Fauziyah. (Photo by: BPMI Documentation)

Jumat, 23 Juli 2021 - 16:01 WIB

Gov’t to Roll Out Wage Subsidy for Workers, Laborers This Year

In a bid to prevent layoffs due to the impact of COVID-19 pandemic, the Government has decided to continue disbursing wage subsidy for workers/laborers this year.

Ministerial Instruction Number 22 of 2021 on Level 4 Community Activity Restrictions in the islands of Java and Bali

Jumat, 23 Juli 2021 - 15:12 WIB

Home Minister Issues Instruction on Level 4 Community Activity Restrictions in Java, Bali

Minister of Home Affairs Tito Karnavian on 20 July 2021 signed Ministerial Instruction Number 22 of 2021 on Level 4 Community Activity Restrictions in the islands of Java and Bali.