By: Erez Yalon, Head of Security Research, Checkmarx
Innovation has been at the forefront of our digital world since the inception of technology, with pioneers across all industries continually looking for new and exciting ways for machines and software to enhance how we live, work and play.
Internet of things (IoT) devices are a key component of this effort. With a huge variety of products now available, from remote health monitoring tools to smart office devices, and almost everything in between, the IoT revolution is improving both standards of living and working for us, making our lives simpler and more connected than ever.
However, the security of such devices has come under increased scrutiny over the past couple of years, and while this is no surprise given the sheer amount of security flaws being discovered within these instruments, it should be of greater concern to us as users and device manufacturers as the creators and distributors.
Whether it’s attackers exploiting smart doorbells to spy on users inside their own homes, implantable cardiac devices being insecure, with hackers able to deplete a battery or administer shocks, or even vulnerabilities within smart appliances – such as the one we discovered in the Ironpie M6 smart vacuum – insecurity surrounding IoT can prove highly intrusive and potentially dangerous from both a physical and digital safety perspective.
So, what can the businesses creating these devices do to ensure security is a higher priority?
The role and responsibility of developers today
Security is becoming increasingly integrated into software development initiatives (where it isn’t, it should be), and IoT devices, and the applications which control them, are no exception.
However, as development teams look to work more closely with security professionals to improve the security posture within the apps and devices they create, there is still confusion around the exact role developers play in AppSec, and whether they must begin to take more responsibility for building secure applications.
We know the majority of developers want to create code that is more secure. Recent research which asked developers about the skills they prioritised learning or improving over the past year found that application security / secure coding came top. While this goes some way to addressing the question over whether developers are ready to take more responsibility here, it’s clear a step change is needed, with instruction and mentalities on who is in charge of and responsible for security needed.
While developers appear to want to do more to ensure their creations are as secure as possible, they often aren’t tasked with or set objectives for creating code which meets a minimum security criteria. Instead, goals are often focused on speed of build and the velocity at which solutions can be developed to tight deadlines. This is something which historically doesn’t go hand-in-hand with ensuring a strong AppSec framework.
On one hand, developers must make it a bigger priority to ensure they’re coding securely. On the other, it’s vital to note that security is a shared responsibility across an organisation. Those in senior roles are equally responsible for this and must ensure their teams have the education, experience, and testing tools to understand the true severity of vulnerabilities within code in more technical detail. By doing so, team leaders and developers can work succinctly to deliver more secure products, while patching any necessary vulnerabilities quickly and effectively.
Taking immediate action
The specific motivations for hackers looking to exploit an IoT vulnerability, in most cases, can be hard to predict. Are they doing it for financial gain, notoriety, or to prove a point?
While motives and tactics may vary, the outcome of an IoT vulnerability can have serious and far-reaching consequences for both businesses and consumers. As a result, the stakes of getting security wrong are far too high for it to remain an afterthought.
Organisations creating and innovating in the IoT space need to take the necessary steps to bake security into every level of their business and product/app development processes from the outset. There are a lot of components within the software of IoT devices and applications that can lead to compromise – APIs, microservices, 3rd party infrastructure, and containers, as examples. All of these, and every component, needs to be secured as a result.
To do this, for manufacturers, it’s critical to be aware of the dangers of IoT vulnerabilities, the options for mitigating those dangers, and the correct way to handle reports and fixes in the event an issue is discovered. Organisations also need to ensure their development teams are armed with the appropriate tools to detect code-borne vulnerabilities earlier and throughout the entire software development cycle, as well as receive the proper training to create more secure code.
The time has come for IoT manufacturers to better engage their developers and management teams to secure the technologies being created.
Only by providing security tools which decrease latency issues, shifting the culture around cybersecurity responsibility, and embedding it into the core of all development processes, can the businesses responsible for creating these devices make moves to truly secure their offerings and protect those who purchase them. Both today and in the future.