IoT Ecosystem Security – Webinar Top Takeaways

Homepage IoT Ecosystem Security – Webinar Top Takeaways

In the first-ever Witekio – Pentest Limited webinar, we got straight to the very heart of the issue on everyone’s mind – IoT Ecosystem Security. More specifically, how to identify and secure threats on a connected device.

With consumers demanding more and more connectivity and integration between devices, security threats are more likely.

Therefore, at the very least, you need to understand the basics of how to run risk analysis and outline common vulnerabilities for your device.

Luckily – we covered just this, and in case you need a recap, I’m going to break down the key moments you need to remember.

1. Get your Spy hats on for Risk Analysis Thinking

You really need to ‘get into the mindset’ for risk analysis. Take nothing for granted and look at everything with fresh eyes.

Think like you’re trying to catch your arch-nemesis in a 007 film. The first thing you need to do is identify what you have. You don’t run before you walk.

You’ve got to know what devices, networks, servers, or people, make up your product and the ecosystem that it sits in.

What physical and software components exist and how do they communicate, where and how does the data flow through it and how sensitive is that data? These are the fundamental questions you’re going to want to document in your risk register (which is just a fancy way of saying a compliance spreadsheet).

2. The Fundamentals of Risk Analysis

Now you’ve got the lay of the land for your device, you need to think about the main pillars of risk analysis and how an attacker can target these on your device.

• Confidentiality

An attacker should not be able to access data that they should not be able to see.

A breach could be against GDPR legislation etc.

• Integrity

Ensuring the attacker cannot change data or anything on the device that they’re not allowed to.

If you can change the data or execute a command, then they could impact things negatively – the integrity of your device has gone.

• Availability

An attacker cannot prevent a legitimate user from accessing it.

Indeed preventing access to functions and services can be highly rewarding (think about ransomware…), so you want to take measures to keep them up and running.

• Preservation of life

Compromising a device will not risk the physical safety of a being (human or animal etc.).

It sounds dramatic, but a security breach of a medical device such as a pacemaker or an insulin pump could have dire consequences.

Need help with your IoT Device Security?

We've got you covered

3. Security by Design

Before we look at the most common vulnerabilities for devices, it’s important to point out that a security-by-design approach, is the best way to protect your device from day one. It’s a combination of smart design choices and their careful implementation.

As described by Witekio’s Security Manager, Julien Bernet – you need to first outline your risk analysis and then set up a proper ‘security development routine’ that would tackle risks during development.

By designing with security in mind – rather than trying to plug gaps after development, you will not only be able to get to market faster but your device security will be fully owned by your team, meaning you can manage it in future.

4. The common Vulnerabilities in IoT

Although you should never take what a hacker will plan to do for granted, there are a few fail-safe vulnerabilities that you can protect yourself from the get-go.

For instance, if your device or your product has a user manual that has a static username and password fixed for every device, then you’re opening yourself up to exploitation.

There have been many cases where devices are shipped with static usernames and passwords which are then remotely compromised on mass.

Another is having non-existing updates. If you offer no way to update the software on a device it can quickly become obsolete because of a vulnerability that’s found. This means either a costly product recall or abandoning the device completely before an attacker attempts to try and affect the Integrity of your product. It’s a risk you don’t need to take.

And our favorite pet peeve. Outdated software.

If you’re looking to cut down on development time and costs, you’re going to use a third-party library or a framework. This is fine, but you have to make sure that you have a long-term maintenance plan so that you can keep your devices up to date.

Just keep in mind that sometimes the cure is worse than the disease and that you need to be extremely careful in implementing these counter measures.

A simple example of this is implementing a non-protected update procedure for your systems, which would allow an attacker to inject its own code into your devices.

5. Don't forget the other vulnerabilities

Looking at the typical IoT ecosystem attack paths shows you the scale of what a connected device has to be capable of defending.

This is why using a professional security-by-design software company, like Witekio, and a leading penetration testing organization, such as Pentest Ltd, can help give you peace of mind.

As the experts say here – bringing on an external team as soon as possible and enabling them to work together on development and security in parallel is the best option.

The last thing you want to do is spend time, effort and money on developing your product to find that you need to invest more to secure it further before it can go to market.