IoT device design and development

“Smart yet flawed” is the term used by the security software developers when explaining the seriousness of the inherent vulnerabilities of IoT devices.

The following table identifies the most common IoT vulnerabilities. Most of these vulnerabilities, namely unnecessary open ports, insufficient logging mechanisms, inadequate privacy protection and encryption, lack of automatic patch management, and hardcoded passwords are caused by poor software design.

	Insecure networks: Insecure networks can make it easy for attackers to exploit weaknesses in the protocols and services that run on IoT devices. Once the network is exploited, attackers can breach confidential data that travels between user devices and the server.
	Insecure/outdated components: IoT devices can be exploited as a result of using insecure or outdated components, such as open source code, legacy systems, and outdated third party software that contains vulnerabilities.
	Hardcoded passwords: Hardcoded passwords – that is, passwords that cannot be changed – are a common vulnerability that attackers often use to compromise IoT devices. Similarly, weak/simple and reused passwords make it easy for attackers to compromise IoT devices.
	Hardcoded settings: IoT devices typically have default and hardcoded settings to facilitate simple setup by the user. However, these default settings are very insecure and it can be easy for attackers to breach and exploit device vulnerabilities.
	Poor privacy protection: IoT devices often collect a range of personal data that needs to be securely stored and processed to comply with data privacy regulations. Failure to protect this sensitive and personal data – through encryption and the like – can result in data leaks that jeopardise both user privacy and the business’s reputation.
	Insecure update processes: Insecure update processes heighten the risk of malicious or unauthorised code, software or firmware being installed on the IoT device. Updates need to be secure and on encrypted channels. All software and firmware must be validated and approved.
	Open ports: Unused open ports in IoT devices can allow attackers to exploit vulnerable services.
	Insecure data transfer: IoT devices receive or transmit data – this data transfer (and storage) must be undertaken across secure networks to ensure that only authorised users have access. This ensures the confidentiality, integrity and availability of IoT applications.

Furthermore, OWASP IoT Top10 also identifies similar software vulnerabilities in their top 10 list.

This reinforces that software running on the devices, gateways, mobile and data centre applications, and the application program interfaces (APIs) from which the services are consumed, should be subjected to assurance to ensure they are free from security defects. Considering this, it is imperative to have security embedded in the design of IoT devices, including its controlling software.

Want to know more?

Read

Read this article which explains the “smart but flawed” concept. The article highlights why it is necessary to be cautious and understand that “smart” can also mean vulnerability to threats:

• Trend Micro 2020, Smart Yet Flawed: IoT Device Vulnerabilities Explained, Trend Micro, 28 May 2020.