IoT: Do Making Devices More Secure Add Time to Product Development?

Not really, but crossing the privacy hurdles require clever application of various security technologies, including integrated solutions by device manufacturers.

Ruchna Nigam, Security Researcher, FortiGuard Labs, Fortinet, in a chat with IT Next.

‘Connected home’ may offer convenience or cost savings, but ‘Internet-connected home appliances’ may also create security risks! 
The Internet-connected home appliances could be exposed to risk under two scenarios: if there is an inherent flaw in the device that is being exploited or if the device has been set up or connected to the Internet in a way that makes it vulnerable.

The first scenario (case A)  generally manifests itself in the form of zero-day vulnerabilities or existing vulnerabilities that haven't been rectified by vendors. Preventing these is the responsibility of vendors, by being proactive when alerted of a security flaw and/or by keeping security in mind while developing a product. Either way, mitigating these risks is out of the hands of a user. 

However, the latter (case B) boils down to the way in which a device is used. This is where a user's security awareness could help by measures such as changing the password that was set by default, choosing a good password, restricting access to these devices to only certain known devices or IP addresses, among others.

Don’t you think making devices more secure can add time to product development?
No. Most of the time, making things more secure doesn't necessarily imply significantly more amount of time or a bigger budget for product development. Rather, it requires a certain amount of awareness, and taking different attack scenarios into consideration during development. 

'Making things more secure doesn't necessarily imply significantly more amount of time or a bigger
budget for product development. Rather, it requires a
certain amount of awareness.'

Steps as simple as sanitising user inputs, assigning only the required rights to a user, selecting the right permissions for programs running on these devices so they can only be accessed by certain users etc., can prevent many attacks on these devices.

There are indeed attacks that are more advanced in nature – but they also require more work by an attacker, explaining why we don't see these very often.

India led the world with this response when asked about privacy! Is IoT going above the creepy line?
IoT is still in the budding stages both in terms of its use by the common people, and the attacks observed on it. However, with the regular influx of new devices, it won't be long before this situation changes.

These devices present an attack surface that makes the impacts of these attacks more personal. An attacker being able to access an IP camera and spy on you seems a lot more intrusive than having your passwords leaked by a phishing website or Trojan. To give an example of a case seen in the wild, early this year, there were reports of a person hacking into baby monitors merely to yell into them.

In addition, exploitation of Internet-connected security devices such as Lockitron, that allows you to unlock your front door with the use of a smartphone, can expose you to graver physical dangers.

In many cases, these devices are also connected to smartphones, which would mean the loss of your smartphone also puts other connected devices at risk. Inversely, an Internet-connected appliance that has been infiltrated could expose the rest of your network and devices connected on it to risk as well.

In short, the expanse of the attack surface in the case of IoT, makes it an interesting and lucrative target for attackers and a concern for vendors. Hence, they should be set up and used with caution by users.

Do we have integrared solutions to protect IoT including application security, remote connection authentication, virtual private networks, malware and botnet protection?
The Internet of Things promises many benefits to end-users, but also presents grave security and data privacy challenges. Crossing these hurdles will require clever application of various security technologies, including remote connection authentication, virtual private networks between end-users and their connected homes, malware and botnet protection, and application security − applied on premises, in the cloud and as an integrated solution by device manufacturers.

The FortiGate network security platform acts as a wireless controller for FortiAP Thin Access Points, while providing firewall, VPN, intrusion prevention, application control, web filtering and many other security and network capabilities. These platforms meet the requirements of any network including homes.

Do we have a framework and standard for the adoption of connected homes in India?
IoT being still in its very early stage of adoption, there are no Indian standards or recommended frameworks available for adoption at the moment. Global standards recommended by IEEE P2413I can be used as the recommended framework.

Standard for an Architectural Framework for the Internet of Things (IoT) - IEEE P2413: This standard defines an architectural framework for the Internet of Things (IoT), including descriptions of various IoT domains, definitions of IoT domain abstractions, and identification of commonalities between different IoT domains. The architectural framework for IoT provides a reference model that defines relationships among various IoT verticals (e.g., transportation, healthcare, etc.) and common architecture elements. It also provides a blueprint for data abstraction and the quality ‘quadruple’ trust that includes protection, security, privacy and safety. Furthermore, this standard provides a reference architecture that builds upon the reference model. The reference architecture covers the definition of basic architectural building blocks and their ability to be integrated into multi-tiered systems. The reference architecture also addresses how to document and, if strived for, mitigate architecture divergence. This standard leverages existing applicable standards and identifies planned or ongoing projects with a similar or overlapping scope. 


Nike Free Run+

Add new comment