Developing IoT devices? Four costly security mistakes and how to avoid them

IoT brings with it so much opportunity, but it also increases risk and widens the attack surface of your product and even your organisation.

To put it into perspective, according to Gov.uk’s Cybersecurity survey 2020, almost half of businesses (46%) report having cybersecurity breaches or attacks in the last 12 months, this is up from a third in the previous year. Maintaining trust with customers is a key concern for CEOs and a big obstacle to successfully deploying IoT products to market.

In our many years of developing connected devices and systems, we’ve seen costly mistakes crop up time and again – here are some common ones with some pointers to help you avoid them:

1. Rushing to get an IoT product or solution to market:

In the race to get to a smart product to market, it can be tempting to think that security can be ‘left until last’ and bolted on at the end, when in fact security is something that needs to be planned at every phase of designing, developing and deploying your connected devices and systems.  Security will be need to maintained throughout the product life and a well-planned approach will make this much easier.

When businesses engage in innovation without proper preparation, they can put their project, company and customers at risk. Preparation takes time and money, and the Proof of Concept (PoC) stage is essential in reviewing all aspects of security. But in rushing to get to market, we’ve seen PoCs developed too quickly with little to zero security consideration of implementation. It’s important that PoCs are developed with data encryption and end-to-end security in mind, even if not implemented. The feasibility of the design may pivot on the security solution. This is also the stage when compliance can generate complexities, as different devices may need different certification types.

2. Introducing insecure components into your IoT product.

When it comes to the build vs. buy decision, remember that the components you select can affect security and reliability. It’s important that you choose to work with a supplier that will disclose vulnerabilities to you throughout the entire lifecycle of the product. You’ll need to review security at every stage of the product development process moving forward, as the impact of poor risk and vulnerability management will be significant as your solution scales up.

3. Underestimating security issues when scaling IoT devices.

As solutions scale, security can get harder to manage. When all of the components are scaled to the size of an expected deployment, security risk and compliance should be a major focus. In the planning stages, you’ll need to consider how security will be maintained throughout the manufacturing and production process, in particular, how sensitive data such as key and software will be handled.

For one client we’ve installed hardware in the third-party factory to inject secure keys at the site of manufacture and programme signed code on each device. Your IoT security solution needs to be future-proof, allowing for updating and change in a safe, secure and low-risk way without requiring a whole new system.

4. Planning no security for smart devices not connected to the internet.

It’s a common myth that just because a smart device isn’t going to be connected to the internet (in other words it only interacts through Bluetooth or NFC or some other interface) it doesn’t need security. While not being connected to the internet does remove a big attack surface, it doesn’t mean a device is secure. It’s not just IP stacks that have vulnerabilities, a range of vulnerabilities have been found in Bluetooth, USB and NFC stacks. Developing exploits and scaling them is harder for these vulnerabilities but still relatively straightforward.

Developing a secure, smart consumer product from concept all the way through to operation, including manufacture and over the air (OTA) updates, means shifting to a security mindset. You need to think about security early in your IoT projects and product planning process and invest in a secure development lifecycle, to tick all the Secure by Design (SbD) boxes.

If you’re looking to design, develop or deploy a trustworthy, future-proof, secure IoT product, then why not download our Secure by Design infographic and product development checklist for a thought-provoking list of questions, you should ask at each stage of development.

The IoT journey from proof of concept to scale is complex and often underestimated. Consult Red can help you design, develop, and deploy secure connected devices, reducing your risk and helping you get to market faster.

For 15 years we have worked with some of the world’s leading Pay-TV and media operators, delivering secure connected systems in the home – Set Top Boxes – with security at heart to protect both their customers and their valuable content.