This week, zero-day flaws found on smart home hubs exposed the risk families and even manufactures could be faced with if security is not built into the device.
Several IoT bodies, from consortiums to alliances, are rallying for common global IoT security standards, but the industry still seems to be at an early stage of discussions. One thing they have agreed on: security and support should be given to consumers throughout the devices’ lifetime.
CBR rounds up five basic security features that need to be built into a smart device.
1. Interpretation HUB
The IoT environment will need an ‘interpretation HUB’ (server-type) that can function as a knowledge base for connecting all diverse options.
This hub will be one way of helping to address security issues around software licensing, entitlement management and IP protection.
Aurelius Wosylus, Director of Business Development, Embedded Markets & IoT at Gemalto told CBR: "The ‘HUB’ requires various levels of security, starting with the infrastructure and continuing to the software embedded within each end point device – preventing hacking and tampering on the one end, and collecting usage data and performance metrics on the other."
The idea of an encryption security feature might frighten some in the IoT space, but a built in encryption system will help to keep the device’s data more secure and away from third parties.
Only specific people should be allowed to access the device, avoiding several different types of attacks from private information being stolen, to malvertising.
Wosylus said: "If a hacker should be able to enter the system, everything should be encrypted. This should involve encrypting data and protecting the software that is embedded into the sensors, networks and systems that collect, analyse and share the data.
"In an encrypted environment, hackers can find it more difficult to reverse engineer applications or remotely determine the specifics of an IT infrastructure."
Associated with encryption, authentication will play a vital role in the IoT space ensuring that only the right people access the device and that device’s data. In the IoT sphere and in the always connected world, the device will have to authenticate itself before it starts exchanging data with an outside source, in order to create a real time experience with the lowest latency possible.
Wosylus added that to ensure maximum security, data encryption should be extended to all links between devices, with authentication codes solely linked to corresponding hardware, securing the logins of people and systems.
He added: "Though there are different levels and ways to protect IP, just one weak point could open a door to a potential hack.
"The system is only as strong as the weakest point in the completed network – ultimately, this could be the human or the technology. Therefore, controlling access should be the top priority."
Since the late 1980s, when they were invented, firewalls have been the security backbone of devices like computers. Firewalls help to screen out hackers, viruses and worms that target the devices.
These software solutions block threats and only allow traffic to go through the ‘wall’ to the device if that traffic is intended to reach that given device from an authorised source.
In a whitepaper, embedded software company Wind River explained that deeply embedded devices have unique protocols, distinct from enterprise IT protocols. It added that, for example, the smart energy grid has its own set of protocols governing how devices talk to each other.
The company said that industry-specific protocol filtering and deep packet inspection capabilities are needed to identify malicious payloads hiding in non-IT protocols.
One of the critical points during the lifetime of a secure system is at boot time. Many attackers attempt to break the software while the device is powered down, according to ARM.
Wind River explains that when power is first introduced to the device, the authenticity and integrity of the software on the device is verified using cryptographically generated digital signatures.
Software developers will have to create a way of including a digital signature into the device’s software. Coupled with the device’s manufacturer approval for that same software use, booting will ensure that only authorised software will be loaded to the device, the firm’s whitepaper explains.
Luigi Mantellassi, CMO at Dizmo, told CBR: "Protection is needed on all layers of software like boot software, operating system, applications and finally data transmission protocols."