Written in collaboration with Future Electronics.
Internet of Things (IoT) security is a hot topic, and for good reason. With everything from denim jackets to trashcans becoming smart devices, the ever-expanding world of IoT products shows no signs of slowing down. In 2016 alone there were an estimated 6.4 billion connected devices, and if that wasn’t staggering enough, that number is expected to top 8 billion by the end of 2017. As more and more devices become connected to the web, often with access to sensitive information, the question of just how secure these devices are has risen to the forefront of conversation. The answer, it turns out, is “not very secure at all.”
So what exactly does this increased focus on IoT security mean for designers and engineers and how can they design more secure devices?
To better understand these questions we reached out to Amar Abid-Ali, an Application Engineer with Future Electronics to talk about the state of IoT security, how component manufacturers are responding, and the challenges of designing secure IoT devices.
Octopart: To begin, can you give us a quick rundown on the current state of security in IoT technology?
Amar: As the requirements for device identification, sensed information and metered information increases, so to do the security, privacy, and safety concerns increase. Without clear global standards, there is no way of identifying the overall security of IoT infrastructure.
Interoperability with other devices is an additional challenge especially as the security requirements are currently not strongly enforced or regulated.
There are no global security standards currently that encompass both data and device security for IoT. As such, device and product manufacturers, solution providers, and system integrators are all looking at different ways to ensure that they address some of the most pressing security concerns. Strategies for securing parts of their eco-system include using software security algorithms, crypto devices, and secure data storage.
Of course, unless the entire eco-system is secure, nothing is secure.
Octopart: What are some of the challenges that design engineers face with regards to security?
Amar: The main challenge for design engineers is the balance of security vs simplicity.
They need to ensure low friction human interaction with the devices. They also need to ensure unique device authentication and device authenticity. Additionally, this must all happen within restricted low power devices that have limited encryption capabilities and limited memory resources.
Octopart: How are component manufacturers responding to these challenges?
Amar: Component manufacturers are trying to increase the level of security features in the devices without having too much of a negative impact on power consumption. Some of the most common added features are crypto coprocessors, secure internal memory, and isolated allocated memory.
Octopart: What are some common mistakes that lead to insufficiently secure device designs and how can they be avoided?
Amar: There are too many security mistakes to mention, but here are some of the most common ones from our experience:
– Allowing devices to operate with default credentials
– Storing credentials in plain text
– Using proprietary non-tested crypto standards
– Not developing a realistic threat model
– Not having a robust identity and access management model
As the number of connected devices increases so too does the demand for secure devices. Despite a lack of coherency in security standards, the pressure is on to make security a primary design consideration. While Amar paints a rather stark view of the current state of IoT security, it’s clear that an opportunity exists for designers and companies that place a premium on device security.
We’d like to thank Future Electronics and Amar for lending us his time and expertise. If there are any topics you’d like to see us discuss in a future blog post, drop us a line at firstname.lastname@example.org!