IoT Security Foundations: The Time for Security Is Now

The connectivity revolution is changing our lives. It allows us to interact with many of the devices we own, allows them to learn from their use, improves efficiency and saves resources.

As part of this revolution, manufacturers are now being motivated to explore new areas in which they have no previous experience; from embedding new components into their devices, through writing dedicated additional code for connectivity, to integrating with other solutions. In order to satisfy market expectations, as well as enjoy a competitive advantage, many manufacturers rush to 'connect' their products, focusing on ease of use and leaving out anything that can slow down production or require any (additional) expertise.

IoT security is one of the things that has been left behind for the last few years.

The harsh reality is that the number of attacks on embedded connected devices keeps growing and the techniques used by the adversaries are becoming more robust. These attacks are still lacking a deep level of complexity, rather mimicking previous attacks with minor improvements to increase infection rate, persistency or control capabilities over their targets.

As opposed to traditional IT, IoT enterprise users have very little to do in order to secure their devices - they can invest efforts in designing a network architecture that isolates these devices, try to block ports that shouldn't be used by the device. However, IoT device visibility and control is limited, and the ability to interact with the device is also limited by what the manufacturer defined that interaction to include. The option of installing a security module on it (just like we all do on our endpoints - laptops, desktops, and servers) doesn't even exist.

However, this reality is starting to change. Manufacturers are starting to understand that the market expectation is of a safe and secure device. This expectation comes first from the enterprise and industrial markets, but it is slowly expanding to the consumer market. As a result, many manufacturers are trying to figure out how to better design their future devices to include security.

As described in our first blog post in the IoT Security Foundations series - IoT security cannot be an afterthought. Connected device vendors are starting to realize that security needs to be planned throughout the device's entire lifecycle: choosing the right hardware components taking security into consideration when the product is being designed, baking security into the device when writing its code, setting a secured default configuration, disabling unsecure configurations and even proactively discouraging or disabling their customers from making changes that may degrade security.

Having said that, it is never too late to start when securing a connected device. Even after choosing the hardware components, writing dedicated application code, installing 3rd party and open source libraries, and even after the device has been deployed in user environments - it is still possible to make a change, and dramatically increase the level of security.

Cyber security is based on multiple layers of protection, and while the device's hardware and physical packaging have an effect on the level of security of the device, the biggest opportunity for remote adversaries lies in the device's software. Manufacturers can, without substantial effort, update the software layer sitting on a device by issuing a new firmware upgrade. This mechanism can be used by the manufacturer to fix bugs in the device, to add a new feature, but also to substantially improve the level of protection and security of the device.

One of our goals when building products at VDOO is to provide efficient, cost-effective, automated and easy-to-use solutions for manufacturers so they will be able to secure their devices, regardless of the development stage they are currently in. At VDOO, we allow manufacturers to use our automated analysis capabilities to determine what are the current threats and security needs of the specific device they are manufacturing, based on the characteristics and attributes of the device, regardless of the stage of development or the firmware version. Moreover, VDOO enables the manufacturers to determine what should be done from a security perspective when they build a new product, with no firmware to analyze yet, or when making a change in the device, whether in hardware or software.

When the process of securing the device is completed, VDOO provides a certificate to the manufacturer to allow users to make an educated buying decision, taking security into account. This also provides the manufacturer with an objective 3^rd party validation that security was taken into account when creating the device.

We encourage device manufacturers to stay ahead of the perpetrators, protect their customers, and secure their devices regardless of their development stage; whether the product is being deployed in the field, being tested for pre-release, only just being designed, or in any other stage between. VDOO is focused on providing automated, scalable solutions to help manufacturers quickly overcome security gaps by providing actionable guidance that can help remediate existing device risks.

We believe that the right time for security is now.