Best practices for IoT Security
GSMA Guidelines for IoT security are out with Outpost24 contributing.
Internet Of Things security are becoming more of a focus day by day, as the race to push new and innovative solutions to market have led to a booming industry. However, latest and greatest means that a lot of corners are cut, especially with regards to security.
In the news we see everything from hacked dolls, hacked kettles, hacked doorbells and cars, and we nod in recognition, this is today’s reality in IoT (in)security.
Amongst the less understood topics to those used mainly to software development, lacking the thinking of an appliance vendor, covered in the best practices are parts such as sun setting of a product line. The problem is that for all those different gadgets and toys, many from a commercial perspective are designed to last for a few years and come without intended maintenance or support. We can, and will have to, accept that. A strange effect of this is that your toys don’t wear out, they lose their internet support. Just as your doll may no longer be able to answer questions due to a changed API in some years from now, this could equally well have gone for update services for a car, or a GPS, or in theory also medical devices. Product specific domains and servers are abandoned, but unpatched products remain, trying to contact the old servers.
The IoT guidelines look not only at avoiding vulnerabilities in code and application but at setting up proper defenses from network layer and upward.
Outpost24 security specialists have been involved in the GSMA work towards the new best practices providing advice on technical security from an attacker’s view, as well as our extensive experience in what vulnerabilities manifest as problems over time in a networked environment, this in an effort to provide vendors with solid advice. Note that the standards are very comprehensive, and while it may not be relevant to build tamper resistant dolls or thermometers for your oven, there are important insights for every developer and vendor to be had from the guidelines.
We don’t expect that they will change the world of IOT
Special thanks to:
Ian Smith – GSMA – Who led the project, and accepted our input even as a third party
Jimmy Johansson – Telenor Connexion – For getting us involved
John Stock – Outpost24 – For the late nights spent going over all technical details