Everything comes alive. It’s the long heralded tech future and the future is now. Many things around us – from bulbs to thermostats and sprinklers – are getting smarter, which simply means that they’re getting easier to administer or personalize. That feat is achieved by designing previously mechanical devices to be digital, enabling them to run complex software that process digital input commands, and even hooking them up to the internet in many cases. Et Voilà! The Internet of things (IoT) is born. It’s not a tale anymore, we’re living it – albeit with some ways to go till full-on Jetsons-dom.
Regardless of where it’s domiciled, software remains software. As such it’s unsurprising that Hackers are expected to be major players in the IoT space. Is our world getting ultra-personalized? A resounding yes. But it’s definitely more hackable too. Researchers are already demonstrating scary examples, ranging from the hacking of cars to compromised pacemakers.
What’s Special About Security in IoT?
There are two points we mustn’t forget when pondering security in IoT. The first is that smart things are still fairly nascent so while the industry has internalized the DOs and Don’ts for securing more conventional systems like web apps or enterprise applications, apps for smart bulbs and alarms are a different story. The connected devices domain has its unique elements, but even where the systems are similar to more conventional systems, we seem to be making mistakes that’ll be considered inexcusable or almost dumb in more established software domains. For instance, protecting secrets while transmitting data, implementing secure default config etc. Perhaps this is due in part to the lack of security standards for IoT apps. I also think that some IoT apps are almost experimental I’m nature and are built by young startups. For instance, one can imagine a smart group of folks coming up with a super cool smart sprinkler/ alarm/ anti-burglary idea. Next thing,l you know, let’s build a prototype validate it and push it out fast to see how the if gets any traction. Security architecture, secure design and that modeling is easily missed in such scenarios.
Another unique aspect of IoT apps built for smart devices is that most of those devices have limited resources like computing power or memory. That smart sprinkler doesn’t have a lot of computing power. This often means that anything considered unessential is pushed aside in favor of performance and efficiency. Security is easily pushed aside without a proper understanding of the security requirements and risk posture of an IoT system.
Designing Secure IoT Apps with The OWASP IoT Project
Organizations like OWASP (Open Web Application Security Project) are rushing to fill the gap in IoT Security knowledge through initiatives like the OWASP IoT Project.
According to OWASP: The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies.
The OWASP IoT project includes the OWASP IoT Top 10, a list of the top 10 IoT Security flaws. To wet your appetite, here’s an IOT Top 10 infographic summarizing the flaws and their solutions..
IEEE’s spectrum magazine also has a very insightful article about how we can build a safer Internet of Things.
Before you embark on or complete your next IoT project, find some time to dig into the OWASP IoT Project for a more details about designing and implementing secure IoT applications. The guys have done a bang up job! And as you unleash your brilliance in the design of a smarter world, please code securely, validate your security, and play your part in keeping the world safe.
