As a society, we like things that are smart. Your TV, phone, thermostat, even your water bottle now tracks your habits and interacts with you via applications.
We demand that our connected devices do more for us, collecting data to help us make more informed decisions, offer us more options, and just be downright better. Unfortunately, far too often in the quest to gain more features from our various devices, security concerns are lost along the way.
Internet of Things (IoT) devices face risks that the industries producing them are generally unprepared to deal with. Time after time, we see new breaches that target vulnerabilities in IoT products which should make us increasingly cautious about buying them, with good reason.
However, given the market trends, IoT looks like it is the wave of the future, so we need to define the challenges and find ways to make it more secure.
Why is IoT security failing?
Part of the blame for security issues lies with the vendors who are producing them. Unlike your more standard computers, IoT devices are nowhere as near prepared to deal with the threat of hacking.
For starters, despite all of the security issues that we have in the application space, many of the vendors have been around for a while and are pretty good at implementing many of the basics on how to build devices securely.
Contrast this with a company whose main focus has been building kitchen appliances or light bulbs, and they are essentially starting from scratch. Consider beginner level mistakes like shipping all of your security cameras with the same default password, or making it very difficult to update faulty firmware, and there is plenty of room for painful mistakes.
This is not to even mention all of the ways that companies who have no experience in protecting user information like credit card numbers, home addresses, or possibly more sensitive details like medical records that could be breached through their applications.
To be fair to some of these device manufacturers, especially those who are building lower-end types of products like lightbulbs as well as those aimed at a budget market, doing security right can be an expensive endeavor. This can entail hiring an experienced team that is familiar with the ecosystem and knows which bases need to be covered to lower the risks of getting bitten later by an embarrassing breach. Add to that the pressure of needing to pump out software at a rate that does not necessarily take security reviews into account, with developers focusing on simply making sure that it works.
In surveying the field, it is safe to assess that the world of IoT is still very much a Wild West. If the past few years are any indicator, companies only face scrutiny in the wake of a hack that exposes customer data or when a botnet wipes out the internet of the East Coast.
So how is this latest stage in the evolution of technology supposed to progress, producing the features to keep them ahead of their competition while mitigating security risks?
In the face of these challenges, open source software may offer these manufacturers a way to develop innovative and powerful software that is more secure, while keeping up with the industry’s competitive release timeframes.
Moving IoT forward with the power of open source software
In order to keep up with the demand for the software that puts the brains in IoT devices, developers turn to open source software components to add powerful features to their products without the need to invest time in writing the code themselves.
Open source components are the libraries and frameworks which are created and maintained by the open source community and are made available for reuse by other developers who can include them in their own projects.
The option to take ready-made software components from high-quality projects is a boon for developers in the IoT space, especially those organizations which are new to the field of connected devices.
Whereas the open source resources in the web application space have grown robust over the past few decades, similar to the industry that it is serving, IoT is still very much in the formation stages. This is actually an advantage as it allows organizations like the Linux Foundation to step in and establish the rules of the new environment.
In February 2016, the Linux Foundation launched the Zephyr Project with the goal of creating a secure, light footprint, and open source Real-Time Operating System (RTOS) for use throughout the industry.
“Open source plays an important role in driving technical innovation in the IoT space,” explains Kate Stewart, Senior Director of Strategic Programs at The Linux Foundation. “It provides a structure and methodology for collaboration across the ecosystem and brings together expert perspectives from a diverse range of stakeholders.”
Using a permissive Apache 2 license, the initiative is a recognition from the key open source actor that the IoT space requires a different set of solutions to meet the current and future needs.
As with many of their other projects in the software development space, the folks over at the Linux Foundation wanted to lay out a standard that would serve the community of developers moving forward, preparing the ground for collaboration and a solid code base that could be incorporated into future products.
“When we looked around in 2015, the options available all had differing flaws that prevented them from being a good starting point for a community to collaborate on security,” says Stewart, adding that, “We wanted to be able to follow best practices to make code ready for safety-critical applications in this small footprint space.”
In the time since, they have attracted a number of influential members from the industry, including Intel and Texas Instruments to name a few.
Tips for making more secure IoT devices and applications
Just in time for Christmas, the good folks over at Mozilla have put together a list of IoT devices who have been naughty and nice when it comes to important criteria like security and privacy. Anyone shopping for gifts should give this review a look before making any purchases.
When it comes to the companies who are developing IoT devices, here are a couple of basic best practices that we recommend for keeping your customers and their data secure.
1. Encrypt User Data
Everything from location data and health statistics to recordings of your Hello Barbie should be encrypted so that in the event of a man in the middle attack or breach, your customers’ information will be useless for the thieves.
2. Allow Users To Change Passwords
Lower the risk that your devices fall into a botnet by making it harder for them to take control of your hardware. One of the easiest methods is to require that users change the password on their device once they take ownership of it, reducing the chances that a hacker could reuse a single password to harness thousands of devices (or more) for their own nefarious purposes.
3. Use Proven Open Source Components For Your Application Development
Open source components have the distinct advantage of being reviewed by members of the community who are always making necessary tweaks and reporting vulnerabilities.
When these vulnerabilities are discovered and published, make sure that your developers have the Software Composition Analysis (SCA) tools to keep components with these known vulnerabilities out of their software during development.
An automated SCA tool can also alert them to newly discovered vulnerabilities as they are disclosed, giving your team the time to implement the patch before hackers have an opportunity to exploit your applications.
4 Do Not Collect More Information Than You Need
Make sure that if you are gathering data from a user that it is something that is really necessary. Breaches happen, and you want to avoid embarrassing situations of having to explain why your devices were collecting location data for your talking dinosaur toy that is also keeping records of the conversations that it is having with kids.
Rami Sass, Co-founder and CEO of WhiteSource