Just because a device is smart, doesn’t mean it’s safe. That’s the October message from the FBI about connected products, such as home automation and security systems, medical devices, and wearables.
In its recent statement, the FBI expressed concern about the vulnerability of unsecured Internet of Things (IoT) devices, which criminals could compromise to launch attacks on other systems, steal personal information, jeopardize physical safety and more.
The FBI didn’t mention any imminent attacks, but experts are paying serious attention to a powerful strain of IoT attack malware, dubbed “Reaper” and “IoTroop,” that may have already infected a million organizations, according to KrebsOnSecurity.
And while there are a variety of preventative measures consumers can take, such as frequently changing passwords and installing patches, the burden of ensuring hackers don’t gain access to unsecured connected devices can’t totally fall on the public. Improved security is also the responsibility of companies creating smart devices, and many are being called on to step up their game.
Designing Better IoT Security
The US Food & Drug Administration (FDA), for example, says it’s examining security gaps and safety risks in connected medical devices, reports HealthcareITNews. As part of its efforts, the FDA has created a risk management program utilizing resources from the National Institute of Standards and Technology (NIST), and is also instructing companies to focus on security during the product design process.
Whereas industries like healthcare must adhere to government-mandated regulations, consumer electronics — which is producing a huge portion of connected devices — does not.
That’s likely one of the reasons British chip-making company Arm just unveiled its Platform Security Architecture (PSA), which has support from companies like Google, Sprint, and Cisco. Arm’s PSA is a new, open-source, architecture system designed to act as a common development framework companies can work from to ensure their IoT products are safer.
As described by MIT Technology Review, think of PSA as a “set of free, open-source documents and code that define how a device’s software and firmware should be designed to make it secure—a kind of checklist and corresponding set of tools that should, in theory, help device makers build wares that are harder to hack.” At the moment, Arm has released the first draft of PSA specifications for its partners, with a wider, public release targeted for early 2018.
Moving Faster on IoT Development
Now, one of the biggest challenges is getting IoT product companies to take threats more seriously, and begin incorporating stronger security measures into their design.
In the recent Harvard Business Review Analytic Services report, “Bridging The Gap In Digital Product Design,” for example, just 24% of companies creating smart products said managing and securing large amounts of personal data gathered from connected devices is a major challenge.
That number was surprisingly low according to one expert quoted in the report, Hans Brechbühl of Tuck’s Center for Digital Strategies, who says it could mean that many companies don’t understand how big the issue is. “If your product or service gathers a lot of data, you’d better be ready to handle it,” Brechbühl says within the report.
If companies creating IoT products are looking for immediate ideas on how to begin remedying security gaps during development, there are certainly places to start. Better requirements management ensures products do what they’re designed to do, and decreases the amount of defects or vulnerabilities in its final release. Improving collaboration between development teams, specifically hardware and software, will also go a long way in averting inadvertent security blind spots.
For more insights on how product companies can tackle security of smart devices, check out our blog post, “One of the Biggest Security Problems Smart Product Developers Are Missing,” and the report, “Bridging The Gap In Digital Product Design.”
