While society, in general, is very concerned about making connected devices more secure, many manufacturers are not very active in addressing this issue.
According to some experts’ opinion, most manufacturers attach higher priority to product functionality to the detriment of cyber security. Resources are always limited, so manufacturers often decide that delegating these resource-intensive issues to specialized cyber security companies is better than trying to become an expert in the new field.
That’s very rational, except the fact that cyber security experts usually are not involved at the stage of product creation. Like in “traditional” IT, cyber security solutions are offered as additional products customers could purchase if they consider it necessary. This is often perceived as quite unfair because it makes the cost of a “thing” ownership higher than expected.
Cyber security accidents are not only about a private life of few accident-prone persons who had forgotten to change default password. It is well known that any connected thing can enter the botnet and participate in mass targeted attacks or transfer some private data to intruders. That’s why public institutions will put more and more pressure on manufacturers of IoT products.
For example, Genesis Toys had already faced such situation when German government has banned sales of its Cayla dolls and i-Que robots as they could potentially spy on kids. Not very beneficial for a financial performance of a company, right?
Cyber Security For IoT Devices
We’ve selected some good ideas on product software design that could help to make it more secure and user-friendly:
1. Less data means more privacy. A smart device and its software should collect and store only data which is directly related to a problem your product promises to solve. If it is assumed that a product provides some data analytics, any raw data gathered for estimations should be quickly removed from places where “third parties” could access it.
2. It’s good to stay anonymous. Everyone wants more personalised products and services, but it should not turn into an opportunity for intruders. All personal data, processed by IoT application, including geo targeting, should be anonymized.
3. Encrypt everything. Communication channels, processed or stored data could be encrypted and they should be treated that way for better security.
4. Track queries and log all events. Multiple or other queries that are not typical for the patterns of product usage should be blocked. It’s also good to record events and make them visible for device owners so they could detect suspicious actions early.
Besides antivirus software that helps to secure already existing products, there is a new emerging technology that offers cyber security improvement of connected devices.
AntiExploit is a software solution designed to make a process of exploitation of 0- and 1-day vulnerabilities and those vulnerabilities related to memory corruption extremely difficult or even impossible for an attacker.
AntiExploit technology randomly shuffles code in device’s memory during firmware installation. In this way, although vulnerabilities are not going anywhere, they become inaccessible for intruders. Developers claim that AntiExploit helps even in cases when default password has not been changed.
As we can see, there are numerous solutions available that could help manufacturers to make their products better. Private and public security is an important thing, and we hope to see more useful and secure devices that will make our everyday life more comfortable.