Building Security Into Your Internet of Things Application Must Start With Development

Just about everything is connected to the Internet now. Cars have remote starters that can be operated from your phone, refrigerators let you know when you’re running out of kale (and will go ahead and order it for you), and smart homes let you monitor and regulate the temperature and water pressure from across the planet. These are small but significant conveniences, representing the gradual march of technology until we eventually reach the idealized Home of Tomorrow popularized at the turn of the last century. But the Internet of Things—or IoT—also represents a huge security risk that has been underestimated by company after company.

There are a lot of vulnerabilities that are unique to IoT applications, and they get weirder and more esoteric as time goes on. Target’s infamous data breach—which resulted in 110 million credit card thefts in 2014—was accomplished by a hacked HVAC system. How on earth do you secure your application when the air conditioning system can be used against it?

Building security into your Internet of Things application from the ground up

I’ve said it countless times; security is not an added feature. It must be present at every stage of development, from early planning through product launch. Remember that custom application development is never truly finished, and security updates after launch are crucial as vulnerabilities are identified. The same is true for embedded software, but there’s an additional layer of complexity: hardware.

The Internet of Things includes a staggering array of devices, most of which simply do not have the necessary hardware to sustain frequent software updates and security fixes. When they do, getting customers to actually act on patching, if it’s not automatic, is difficult at best. Have you ever updated the firmware on your wireless router? What about your Smart TV? Unless there’s an actual, visible problem, your customers simply are not going to update their software.

Even worse, many of the IoT devices are pretty much treated as disposable because they are so cheap. When these devices are found at the register of a convenience store, how are we supposed to inform those customers when a new security issue shows up?

That’s why at Applied Visions, we make sure that we start from the ground up. No application can or should be released unless and until it is deemed secure—not secure enough, but as secure as possible. That kind of security is reached only by continuous assurance—that is, building security into the application and then re-scanning for vulnerabilities and re-testing the application every time a change is made. In laymen’s terms, each time we change the code, we try to break the application. This doesn’t just make sure that it runs smoothly, it makes sure that our security measures aren’t inadvertently weakened by an unrelated change. We even developed Code Dx, an application that tests the actual code to make sure there aren’t any introduced vulnerabilities.

To be perfectly blunt, this is the only way to even begin to produce secure IoT applications. Your application needs to be secure before it leaves your hands, because you may not be able to fix it later.

Building security into your Internet of Things application from the top down

Aside from introducing security measures into the custom application itself, all of the information that is gathered usually has to go somewhere. That’s why the other end—that famous Cloud everyone likes to talk about—needs to be secure as well. Luckily, this is one of the areas where more traditional, standard security measures will help. Multifactor authentication—for example, when your banking website asks for your password, then asks one of your security questions, or sends a code to your cell phone—is a more reasonable option from the back end than it is for the front.

A huge set of IoT applications also support some kind of mobile device integration. Like I mentioned in the beginning, even your car can be partially operated by your phone. Most issues with mobile security involve data theft rather than the device serving as an entry point for other systems. Thankfully, software development companies have gotten pretty savvy about mobile security by necessity.

Simple measures, such as registering your application with the user’s phone number at setup, can make a world of difference in closing security gaps. Multifactor authentication, again, should be standard—but it’s not quite as burdensome to the user when a phone or tablet is part of the process. Even better, it’s possible to use this to actually enhance other security measures by requiring separate authentication from mobile devices.

 

The most critical aspect of security is that all of this should be integrated from the start. Again, security is not a feature, it is part of the application. This is—or should be—true of all custom software applications, but is especially true of IoT apps because you often get only one shot at it. If it isn’t treated as part of the development process, then it just isn’t good enough.