There’s no question that the Internet of Things is the new security battleground. Internet-connected webcams, HVAC systems, cars, TVs, watches, printers and more are giving people more use out of their devices. But these devices also open doors to hackers who want to steal corporate data, lasso thousands of devices into botnets that can launch DDoS attacks, or even set off Dallas’ 156 emergency outdoor sirens.
When it comes to security, corporations are struggling to keep up with the speed at which problems evolve. For example, a researcher with Google Project Zero recently discovered a flaw in Broadcom Wi-Fi chips that could allow someone to remotely execute code on affected iPhones, Nexuses and Samsung devices just by being in their general vicinity. Another researcher found 40 zero-day vulnerabilities in Samsung’s Tizen operating system for smart watches, phones, and TVs — he said the code may have been the worst he’s ever seen.
Meanwhile, a new version of the Mirai botnet was recently discovered to be capable of launching application layer attack, not just DDoSing websites, and turning large swaths of the internet dark.
To combat these issues, companies are constantly inventing new solutions. For example, a new Microsoft project, dubbed Sopris, is aimed at solving some security issues with IoT by redesigning Wi-Fi microcontrollers. And while efforts like this help, more must be done within corporations to address the IoT security problem in a scalable way.
How? Here are three things companies making IoT devices should do to improve the security of their products:
#1: Be accountable
Many companies developing IoT products aren’t technology companies, so they don’t necessarily design products with security in mind, or know the best practices to ensure security. Vendors getting into the IoT market must realize that their devices will have vulnerabilities and that connecting them to the internet increases the likelihood the devices will be attacked or used in attacks. If companies sell products without acknowledging this reality, they have already failed, and are putting not just their customers at risk, but the internet as a whole.
#2: Automatically update
Products that don’t have a way to automatically update are sitting ducks.
For instance, the moment they left store shelves, devices vulnerable to the Mirai botnet were effectively at the end of their life — there was no way to update the devices or to fix the vulnerabilities, so the only option owners of affected devices had was to buy a new device. Device recalls are expensive, so providing a way to update the device is essential in avoiding instant obsolescence, which turns customers off.
Even Windows XP, which had a 10-year life cycle, shipped security patches to customers to install manually. Microsoft planned for customer support and maintenance, like employing more security engineers, over the long run and factored that into the upfront costs or subscription.
In the same vein, Nest charges $10 a month for upkeep services, which enables it to make one of the most secure IoT devices on the market.
#3: Embrace disclosure
IoT device manufacturers must also make it easy for ethical hackers to report vulnerabilities to them. Companies should have a vulnerability disclosure process with an easy-to-find email address or web form to which to send bug reports. If they want to encourage more security scrutiny to help them find and fix bugs, companies can also set up a bug bounty program that compensates hackers for reporting vulnerabilities.
No product is immune to bugs, and given how widespread IoT devices have become, and how vulnerable they are to hacking, it’s essential for companies that make IoT devices to take all the precautions necessary to ensure that people’s privacy is as protected as possible.