Designing internet of things (IoT) products is like a modern-day Gold Rush, where companies large and small are aggressively pushing out everything from smart, connected tea infusers and doorbells to cars, factory automation systems, and building control equipment. Unfortunately, what often gets lost in this rush is security.

“We have seen so many different news (items) recently…we see devices like cars, in home and in industrial getting hacked,” said Majid Bemanian, director of segment marketing at Imagination Technologies and a board member of the IoT Security Foundation (IoTSF). “The challenge that exists is, trust takes time to build. We can’t afford to have IoT devices out there being compromised and lose the trust of the consumer.”

On March 30, IoTSF hosted its first Bay Area gathering in Santa Clara to bring technologists together to learn about its mission and to also gather input on the organization’s direction for this region. Launched in London in September 2015, the non-profit, vendor-neutral IoTSF aims to promote knowledge and best practices in appropriate security for those who specify, make, and use IoT products and systems. Its 90-plus members come from industry and academia.

Already, said Bemanian at the gathering, “the accomplishments have been enormous. It’s been a pleasure to see the amount of contribution made just by the European geography.”

Trust framework closes security gaps

The IoTSF has formed several working groups to address topics including connected consumer/home, patching constrained devices, vulnerability disclosure, the IoT security landscape, and trustmark/regulatory issues. At the Bay Area gathering, Pamela Gupta, president of OutSecure Inc. and chair of the IoTSF’s self-certification working group, discussed a holistic approach to addressing security.

“We are not going to solve this problem by technology alone,” Gupta said. “We need a holistic approach to security.”

To that end, the self-certification working group has developed a trust framework for self-regulation that focuses on the device in the scope of the ecosystem and the different touchpoints. As examples of how the framework can help mitigate security vulnerabilities, Gupta outlined some use cases, including the Mirai botnet and the iKettle hack.

According to Gupta, researchers have found about a half-million IoT devices that are vulnerable to the Mirai botnet, which attacks routers, cameras, DVR players, printers, and similar equipment that use factory default or hardcoded login names and passwords. The trust framework can help mitigate the risks by, for example:

• Requiring unique passcodes for each individual device
• Allowing factory default or OEM login accounts to be disabled, erased, or renamed

In October 2015, the iKettle made news in London when a security researcher found how easy they were to hack in order to access home Wi-Fi passwords. Gupta explained that these kettles, which boil water via a smartphone app command, did not authenticate the Wi-Fi access point by anything other than SSID, so they could easily connect to a fake access point. This oversight allowed hackers to use an AT-KEY command for the Wi-Fi network to root out the Wi-Fi Protected Access, Pre-Shared Key (WPA PSK). In this use case, the IoTSF trust framework could mitigate attacks by requiring:

• A unique default password per device if authentication is required
• All network communications keys to be stored securely
• All interactive OS accounts of logins to be disabled or eliminated
• In a wireless interface with an initial pairing process, passkeys to be changed from default prior to normal service

Left unprotected, IoT products such as smart kettles can be vulnerable to security breaches.

Assess your risks, take action

Could one framework address all of the nuances of all of the varied IoT devices being developed? The idea behind the framework, noted Gupta, is to guide businesses to assess their risks and, based on this, apply appropriate elements of the framework. Depending on the business’s risk profile, some of the elements are mandatory, while others are suggestions. “Absolutely the focus for us is how to make it actionable,” Gupta noted. The current iteration is for consumer devices and is expected to be finalized by summertime. Next, the working group will take a closer look at areas such as industrial and healthcare.

“It’s not just about protecting your company,” said Gupta. “It’s about protecting society as a whole.”