Authored by: Tim Mackey, Principal Security Strategist, Synopsys Cybersecurity Research Centre (CyRC)
Over the last decade, we have experienced a surge in consumer-grade connected products – from thermostats and kitchen appliances to baby monitors and smart bulbs. While these are great additions for consumers, the convenience of a connected world can come with a trade-off in security and privacy. Hackers are finding more ways to gain access to personal information by exploiting weaknesses in everyday devices.
What is the problem with connected devices?
An example is in order. Let’s say, you just bought a new fancy smart internet-connected refrigerator. Typically, a fridge should last for about 10 years or so. This is a reasonable expectation that consumers have for such a large purchase. It’s rare for hardware, like that in a refrigerator, to need regular updates. Software on the other hand often needs updating – a situation the manufacturer may not fully account for over the lifespan of their device. In other words, they know how to make hardware work (the fridge) very well, but they may not be accustomed to thinking about how software (the smart capabilities) works.
The cybersecurity issues that we all live with today and that can be fixed with an app update or something that’s being pushed out may not necessarily be a priority within the executive teams at hardware companies. However, what does it mean to have designed something 10 years ago to the best practices of 10 years ago, but now need to deal with today’s cyber threats?
Manufacturers need to build security into their IoT devices
Manufacturers of smart IoT devices must understand that when designing a product, they should take into consideration the velocity of privacy expectations, especially if the hardware is expected to have a very long lifespan.
Consider the situation where a device has a microphone, a video camera or a speaker in it. We have seen instances over the last couple of years where malicious organisations have taken over baby monitors and DVRs to build botnets. We have seen incidents where people who are with the customer support organisation for the provider of a digital personal assistant have listened in on customer conversations or seen the videos of the conversations. We’ve even had court cases involving a murder where the prosecution went and subpoenaed the background noise recordings from an Amazon Echo device. Through these episodes, we know that these smart devices are in an always-on situation and what can be done with that data becomes a real consideration.
Where is the value for manufacturers?
From a security perspective for manufacturers of such devices, that means that you need to look at security and privacy as being two sides of the same coin. To ensure security, your team will have to fundamentally assess what the real risks and ownership are for that piece of software. You are likely not going to get it absolutely right from the start, but your consumers are going to expect that you get it right. And you need to be flexible. You can’t go and say “but I adhere to this standard” because while that standard may have been completely legitimate and “best practice” at the point in time that you created that piece of software, standards have a history of needing to be amended and updated.
Ultimately for any business, it is all about brand value. If you are in the news for the wrong reasons, it is not going to help your shareholders. It is also not going to help your future business if you are known as supplying insecure products. There is no amount of public relations that can be carried out to offset having a data breach take place due to a cybersecurity oversight, especially given the competitive landscape out there.
So what’s next?
Manufacturers of connected devices are advised to invest in cybersecurity up front. Invest in creating threat models for how your products could be compromised and understand what the risks are in the software that’s being created and operated within your business. Since threat models reflect the current threat landscape, they will need to be continuously updated and will need to include an understanding of the life cycle of whatever product the software is powering. Your customers expect that your products are reliable, and the software is robust.
Aim to set a bar that is far greater than any piece of hardware that you might have designed. And particularly, you need to recognise that software has its own supply chains, so the security of your software extends beyond your in-house development teams. There is a very strong probability that your vendors and third-party services are also using code from external sources, and that code could itself have weaknesses or vulnerabilities disclosed against it. If you don’t pay attention to the combined custom code and code pulled from third-party libraries, you could be in a position where you get blindsided by an unforeseen vulnerability.
IoT security is a journey, not a destination
At the end of the day, there is no way to build a perfect piece of software. Instead, focus on how you would properly secure the software you create today, and how you will continue to support and patch it as new security issues arise. Manufacturers need to keep up with security best practices and embed security mechanisms throughout their software development process. Most attackers are looking for easy targets. If the software powering your products is difficult to compromise, chances are good that these criminals will move along to other potential targets and your customers will welcome your cybersecurity efforts.