IoT Developers: checklist for building more secure Smart Devices.
Author: Carole Theriault
Date: Wednesday November 1
[This is Part 2. Part 1 of this blog series is here: Before you buy or connect a smart device (IoT)…]
Having worked for more than 20 years in the technology and information security industry, I have seen first hand how hard management can push their teams.
There is no doubt that the IoT race is on, but whipping teams into a frenzy so that they race through the development, testing and production phases has a real cost – the brunt of which is handed over to the consumer.
Think about it for a minute: real device security testing – at every stage of the development – is seriously painful. You need to document your risk analysis, create testing procedures, follow them under various conditions, record the findings, review and resolve the issues, and then repeat the whole process again and again until you are absolutely confident that the device is properly hardened against being hacked, or being accessed without consent.
It is no surprise that in this competitive environment, many providers are more concerned about competitive features and price points than they are about security and privacy vulnerabilities. It is a major concern that too many providers are taking short cuts when it comes to baking in security and privacy during the development phase.
And this is why today’s technology market is flooded with insecure IoT devices. Just check this shortlist of vulnerable devices already out there. Providers without security at the heart of their strategy risk passing the security and privacy vulnerabilities their customers.
Check out this handy list to make sure you are hardening your IoT devices against cybersecurity exposure both today, and tomorrow:
- Don’t retrofit security features. Avoid tacking on security later in the development cycle. Security needs to be a key consideration from the get-go. If you are responsible for creating smart baby cams, for example, shouldn’t you produce a device that accepts user-created, complex, multi-character passwords; that has device-specific bluetooth discoverable ranges with generic names (to help prevent nearby lurkers sniffing out specific devices); and that collated data, and metadata, is encrypted in transit and stored securely?
- Appoint a project CISO. If you do not have trusted infosecurity expertise in house, consider appointing a CISO-on-demand to improve security, manage costs and limit liability. Choose a project CISO who is backed by a plethora of cyber resources and expertise so you only have to manage a single contact. This is proven to be an efficient and recommended approach for IoT device manufacturers.
- Conduct a risk assessment analysis for each phase of the development. Working with risk, compliance and pen testing experts, like TBG Security, will make this process more efficient and more secure. Once you have a prioritised list of risks, you can allocate appropriate time and resources to addressing them.
- Harden the device against unauthorised remote access tampering. Consider implementing a unique authorisation code only used during installation, configurations and updates, which automatically logs out after a set amount of time.
- Allow for future software and firmware updates. Future cyberattacks are unknown. You may need to react against a brand new attack vector. Where possible, bake in a secure route so that IoT devices so that updates can be pulled down by authorised users.
- Make it easy for your customers to stay secure. Making updating automatic if possible. If that can’t be done, make the process as smooth and simple as you can, and explain it clearly to users. If a default password can’t be avoided, force the user to change it on first use. Provide advice on setting things up securely – see our list of consumer tips for some ideas.
- Regularly penetration test your software post production. Now that your IoT device is out in the world, you need to keep up with any newly discovered vulnerabilities. TBG Security has expert penetration testers and risk assessment officers to access to all the latest information security discoveries, tools and thinking. This approach will help keep a few steps ahead of the opportunist attack agent.
How TBG Security can help
TBG Security provides quality penetration tests and risk assessments tailored to your specific needs. Whether you are a governing body, a financial institution, an insurer, a legal or accountancy firm, or a online provider, we can help.
Get in touch. We can chat about your needs and help you figure out the best approach for you.