How to Build a Security Framework for IoT
Smart devices have been found riddled with security vulnerabilities in the past couple of years by numerous security researchers, proving that usability does not necessarily go hand in hand with security. Even popular IoT devices – 70 percent of them - were found harboring more than one critical vulnerability, potentially allowing attackers to remotely control them and use them to pivot to other devices or networks.
SOC-powered Android devices were found even more vulnerable to cybercriminals, as some vulnerabilities found could allow for root access. This would mean that attackers could completely gain control over such devices, and even smartphones were prone to the same threats.
Why Such Poor Security for IoT?
Manufacturers building smart devices seldom follow basic system security engineering principles. As they focus on quick go-to-market deployments and high return on investment, building in security, or even thinking of adding security mechanisms, is often dismissed from product roadmaps.
While this drives the consumer market, it’s companies that take the blunt of repercussions as employees usually break the security chain by introducing IoT devices within the corporate network. Commercial products today inevitably make their way into such networks and could jeopardize the security of the entire organization. Enterprise managers are at a loss when trying to manage such devices, as they don’t follow any security design principles that allow for IT management.
Usability and low hardware costs fuel the proliferation of IoT devices, but at the same time destabilize the security chain by not adhering to best practices or even supporting any type of IT management. Known vulnerabilities, such as cleartext cloud or local APIs expose personal data, remote shell access, or even UART (Universal Asynchronous Receiver/Transmitter) interfaces that allow for physical interaction with the device, are common vulnerabilities in IoT.
Engineering a Security Framework
The missing component in the IoT development lifecycle is the security engineering discipline that allows for concepts and methods to test, implement and build security mechanisms right into smart devices. An integrated, system-level perspective on system security should be the first step toward defining a solid IoT security framework.