The Internet of Things (IoT) was at the peak of Gartner’s Hype Cycle 2014 – just a couple months later it feels like it has fully arrived. More and more devices and applications get connected via Bluetooth, WiFi, NFC and other technologies in order to enhance functionality and usability.
Gartner’s Hype Cycle 2014 (image: Gartner)
Every new connection is a possible entry point for hackers and has to be secured in some way. Many companies face the challenge of choosing and implementing the adequate security technology for their products and therefore we have collected 9 questions in order to give you some help on if and what security precautions you need.
Are your products connected?
If you answer yes here you should consider security. It might turn out that you do not need to spend a lot of effort securing a device if the only connection is NFC and an attack would need to be close by and in addition the transmitted data is not critical. On the other hand if you design a Bluetooth enabled headset you might want to spend some more effort as calls should stay discrete especially considering your business customers. In conclusion, if there is a connection you should at least take a moment to think about if security is necessary.
Do you allow firmware updates?
Updating the firmware of your products can be an easy and great way to eliminate bugs and to make your products competitive over an extended time period. At the same time experience shows that many people take advantage of this feature and create and distribute unofficial or modified versions of firmware to provide new features, to unblock functionality or to access user data. In order to prevent this it is vital to implement security precautions verifying the firmware and blocking third party software.
Do you check the integrity and authenticity?
Many of us will know data encryption using algorithms to encrypt and decrypt electronic data. However in a modern device this is not enough to keep hackers out. In order to built a secure connection it is essential to check the data integrity meaning that you check if the data is correct or in other words that the data was not changed or accessed on its way from sender to receiver. Through authentication tools you can further determine whether someone or something is in fact who or what it declared to be.
Is the software an essential part of your intellectual property or product?
In some cases your product is defined through software in a way that this is the main differentiation to your direct competitors. In this case you should have strong security precautions in place in order to prevent the hacking of your systems and to protect your unique know-how.
Do you trust a remote connected node?
Remote connection nodes e.g. a sensor can be hacked in two ways. First option is to hack the connection between the device and the node/sensor, second possibility would be to feed the the control system with wrong sensor data to perform the attack.
Are consumables part of your business model?
Consumables such as batteries, medical disposables, cartridges and other spare parts can easily be modified or replaced by unofficial parts in order to hack a device. To prevent such hardware attacks it is important to consider advanced hardware security technology.
Do you see copies of your products, batteries, consumables extension boards in the market?
In case you answered yes, but are in favour of third parties offering special equipment for your devices you should have a very comprehensive security strategy in place, allowing you to license products. You should further be able to control third party extensions and be in a position to stop them from working with your products via software updates if necessary. If you do not want any additional accessories to work with your device you will need to implement strong hard- and software security in your products.
Would counterfeited poor accessories damage your reputation?
You answered yes? Then you should not fear to take the time and effort to protect your reputation with hard- and software features.
Is crypto implemented in hardware or software?
A good answer would be ‘in both’. A perfect answer would also include ‘together with authentication and data integrity features’.
So now we have established some ground rules to answer if you should think about security features when designing a new product. We will follow up on this post in order to help you to answer the question “When protecting a system, what should I consider?”.