Keeping IoT Consumer Products Safe from Cyber Threats
5 key areas of cybersecurity to focus on when developing and manufacturing secure connected consumer products
04 October 2022
We live in an increasingly connected world, one where smart devices have become a necessity rather than a luxury. By the end of this year it's estimated that there will be 14.4 billion connected devices in use globally. While IoT products offer the convenience to control everything from appliances to home security systems to cars, they also make users vulnerable to cyber-attacks. As cybersecurity experts, we work with consumer IoT device manufacturers to help them develop the safest products possible through stringent testing and certification. In honor of Cybersecurity Awareness Month, we've highlighted some of the common cybersecurity trends we see every day and what manufacturers can do to mitigate the risks they can create.
1. Weak Passwords
Having a weak or easy-to-guess passwords can be like leaving the key to one's house under the front welcome mat. These can easily be guessed by an attacker, giving them access to IoT devices, opening the door for more deploying backdoors or malware, and potentially gaining access to other systems on the local network. Another common vector for attack is common passwords used across accounts. A data breach of an unrelated service could impact the users IoT accounts as well.
One way to help mitigate these threats is to ensure IoT devices and associated services enforce minimum password requirements. Another mechanism is to implement some form of brute-force prevention, limiting an attacker's ability to repeatedly guess at passwords.
2. Vulnerable Components
Most software-based products today use third-party components as building blocks, including operating systems, device drivers, and libraries. It is just as important to manage the security risks of these components as it is to manage the risks of the device-specific code. New vulnerabilities emerge every day. Old and vulnerable components can introduce unexpected risks if a process is not in place to monitor these components and to keep them up to date. As part of an overall supply chain risk management strategy, organizations can use component analysis techniques a software bill of materials (SBOM) to manage risks introduced by third-party code.
3. Insecure Defaults
The user experience is a key aspect to widespread adoption of an IoT product or solution. Complicated setup processes can deter users from getting the most out of their IoT product. Manufacturers should be careful to make their products easy to deploy but need to be aware that not all users are IT specialists that understand the risks of using a connected product and can configure the security controls on their own. Products should be secured by default, requiring minimal interaction from the user to configure the security functions and provide clear warnings when a user action may result in a less secure device.
4. Focus on Privacy
IoT devices often collect sensitive information from the user including names, e-mail and physical addresses, sensitive network information (WiFi network credentials), and even images. Personal information stored on a device or in the associated IoT ecosystem (i.e., in the cloud) should be protected from misuse. Manufacturers should also consider implementing a process to safely decommission or reset a device. One that is easy to access and that ensures all of the user's sensitive information is wiped from the device.
5. Vulnerability Disclosure
Even products built with the concept of security by design, using robust secure software development lifecycle processes and fully tested, can be susceptible to new and emerging vulnerabilities. Many of these vulnerabilities are discovered by security researchers dedicated to making to Internet a safer place for all. Having a publicly accessible vulnerability disclosure policy, including details on how to report newly discovered vulnerabilities helps ensure that security researchers can responsibly disclose security risks to IoT product developers who can investigate and respond when necessary.
With new threats emerging as the IoT advances, these are the key areas we've seen come to the forefront this year as the ones you should focus on when developing secure consumer IoT products in order to mitigate risk and eliminate vulnerabilities.
Vice President of Cybersecurity
During more than 18 years with Intertek-EWA Canada, Wayne has become an expert in many areas of the cyber security domain, including intrusion detection, cryptography, vulnerability assessment, penetration testing, static code analysis, payment technologies, and product reviews. Wayne now manages a team of 60+ security specialists and penetration testers focused on securing network infrastructure, mobile and web applications, and connected products.