Last updated: 08 July 2016
Last year, hackers demonstrated to us how the IoT, when unsecured, can be used to hack a Jeep remotely while it’s in the middle of a highway. A scary scenario. It served as a wake-up call for many in the automotive industry, especially those at Jeep who promptly issued a patch for the vulnerability.
Since then, the company behind the Jeep hack, IOActive, has come out with a survey claiming that nine out of every 10 IoT devices on the market today have not been designed with adequate security. These figures are concerning and should serve as a reminder to everyone how we must strengthen our commitment to IoT security. Below, we list out the three key lessons we must learn about IoT security practice and policy.
- Security must be the number 1 priority for IoT
The potential of the IoT is seemingly unlimited – new innovations are being made every day. This is brilliant for the IoT market as a whole; however, security thinking must be properly integrated into the innovation process. Currently, many IoT developers choose (understandably) to work in an agile manner, in an off-network sandbox which enables them to experiment and innovate more rapidly. In this environment, security is often an afterthought, and is not implemented until the later stages. It’s important we recognize that secure products need to be built with security in mind from the ground up – security solutions shouldn’t just be added on at the end of the process. Instead, securing the device should be the first pillar.
- The onus of responsibility should be with manufacturers/developers, not with end users
Some companies have resorted to including disclaimers with their products to ensure they’re not held liable for any security exploits. This sets a dangerous precedent; one that passes on the responsibility to end users. Of course, end users should be encouraged to be responsible and take all the care they can… but this can’t relieve the manufacturers of responsibility. If IOActive’s figure of nine out of 10 devices being vulnerable is accurate, we can’t expect end users to be bridging the gap.
- We need to keep driving IoT security innovation
The IoT, on many levels, is about discovering new ways of doing things. This means new form factors that we haven’t used before – this could also mean new attack vectors for hackers. For example, USB or OTA software updates for vehicles provides a new attack vector for criminals – we need to ensure we find ways to secure against these possibilities. In short, we’ll need new solutions to protect against new opportunities for exploitation.
Securing the IoT – How to build a foundation of Trust
Tuesday, July 12th, 2016: 17:00 – 18:00 CEST
To learn more about Gemalto’s IoT security approach and how to build a foundation of trust for your solutions, register to attend our complimentary Webinar on Tuesday, July 12th at 5pm CEST.
Unsurprisingly, given the third lesson above, innovation is very important to us here at Gemalto. That’s why we are proud sponsors of the Security Award at the IoT/M2M Innovation World Cup this year, for the second time. Through this, we hope to bring forward our message of bringing trust to the IoT. Eligible contestants can apply to receive a free Cinterion® Concept Board to fast-track their innovations and receive free support in the Gemalto Developer Community. Once a greater trust is established, the opportunity for businesses to Connect, Secure, and Monetize the IoT will be better than ever. For more info on this, see here.
What do you think the key lessons to be learned from the IOActive survey are? Let us know by tweeting to us at @Gemalto, or by posting a comment below.