Smart IoT products needn't be hackable

April 7, 2016 OpenSystems Media
  • The combination of lower hardware costs, stronger connectivity, and more stable infrastructure facilitates the production of innovative products and has allowed the boom in IoT-enabled devices. The technology is there and the demand is there. The only limitation is our imagination.

    Getting devices to market faster than the competition can provide a crucial advantage. But that’s not the only obstacle. A larger one relates to security, and how connected devices keep users and makers safe from data hacks and eliminate third-party control over devices.

    The potential danger is real and documented quite extensively. Take an example reported by the Guardian, where a child’s toy with the ability to learn the child’s name and other personal details was hacked. Thankfully, the breach was discovered by a security firm and the manufacturer was able to rectify it before anyone was harmed or any data leaked.

    These are the four minimum requirements for security:

    1. Use secure hardware
      1. RNG or the whole crypto stack on chip
      2. Anti-tamper features
    2. Implement secure communication
      1. Encryption and authentication
      2. TLS/DTLS standards
    3. Build over-the-air (OTA) functionality into your devices
      1. OTA updates and remote management to push security upgrades
    4. Have a recovery plan
      1. Tech and communications should things go wrong

    Remember, hackers will always aim to beat the newest security features. So while you need to utilize secure hardware and secure communication, it’s vital that you can upgrade products over-the-air. This means consistent R&D in the security aspect of your smart product. Should the worst outcome play out, you must be ready to act quickly:

    1. Technical save: Regardless of whether you’re using a solution provider or in-house development, be sure to have a plan in place in case of a hack. Establish how fast an upgrade to prevent further hacks can be pushed as well as a process to identify how a security breach occurred in the first place.
    2. PR save: Have your communications team briefed on all your smart products and the technical background of these. Should a security breach occur, it’s vital that they have the basic information plus exactly what occurred and how it will be fixed. Getting in front of these issues and showing consumers that you are responsive is vital.

    Very simply, inexperience is the most common pitfall. Embedded development and security protocols are complex beasts. This complexity leads to implementation mistakes if the team responsible hasn’t got extensive experience. Security is often compromised in favor of bringing a connected product to market fast and under budget. With the right expertise on your side, there’s no need for this compromise.

    Anatoly Lebedev is the CEO and Co-Founder of Irish company Cesanta. Together with his team, he helps define the future of embedded communication technologies. Previously, Anatoly shaped strategic partnerships in Europe, Middle East, and Africa in his eight-year tenure at Google. He is heavily involved in the Irish startup scene and can be found as a mentor at hackathons and startup weekends.

Anatoly Lebedev, CEO and Co-Founder, Cesanta
Previous Article
Feel "free" to use embedded Linux

Linux has been a mainstream embedded operating system for many years. And yet, the licensing and developmen...

Next Article
Design machine vision into your embedded system

Machine vision systems from companies like Cognex, Keyence, Banner, and others are used to check the qualit...