In part 1 of this Internet of Things (IoT) security series I reviewed how a four-layer approach can help reduce security anxiety for intelligent device manufacturers. The first post covered the device- and OS-layers, and now we’ll cover the application and network security layers.
All IoT devices run software that provides service(s) to its users or other systems—and are often the weakest link in an IoT device stack. Traditional security practices do not apply when it comes to IoT devices. For example, you normally would not download an anti-virus app and try to run it in your Nest Thermostat device to protect against malware or viruses. Most IoT devices have limited resources and hardware vendors typically rely on physical security and as a result, designing security into software is usually an afterthought. Secure coding principles are one approach that will ensure application security is an integral part of the product design that will greatly minimize security vulnerability.
IoT devices are “always on” simply by definition and have a very high security risk as a result. Most IoT devices are purposely built to provide a few simple services that rely on data from other systems – perhaps other IoT devices. For example, with a SmartThings(r) hub, it can monitor whether doors, windows, and the garage are open or closed. Most IoT devices use simple traffic patterns that are predictable and can be impersonated in order to compromise a device. Authentication and secure communication are two common practices to protect data in motion to prevent eavesdropping and ensuring trust between one or more IoT devices.
So how can you get started today to improve the security of your devices?
As mentioned before, leveraging a tamper-resistant application can help you minimize piracy risk and strengthen IP (intellectual property) protection with additional security layers. Tamper resistance will help protect against hacking and software piracy through sophisticated detection and identification of unauthorized use. Additional benefits of tamper-resistant app include:
- Mitigate the risk of reverse engineering by providing maximum protection against static analysis through code obfuscation that controls the flow of software and application data that may contain sensitive information.
- Ensure application integrity and block tampering through innovative techniques that detect modification of the application in memory and on disk and provides an option to create “call-home” notification alerts.
- Establish secure barriers against debuggers and application signature spoofing to counteract reverse engineering attempts.
By applying security in layers in the above four areas you can be more assured that your IoT devices are secure.