Software Integrity Blog


Building security into IoT software development

The Internet of Things (IoT) will create a software development surge unprecedented in scope and reach. And building security into IoT devices is crucial.

The original version of this post was published on IoT Now.

Men occasionally stumble over the truth, but most of them pick themselves up and hurry off as if nothing ever happened.

—Winston S. Churchill

The Internet of Things (IoT) has brought us to a precipice that we have seen before: A new wave of software development is beginning to form that will crest in size beyond our ability to forecast. We saw it as applications moved onto the web and, more recently, as applications moved to mobile devices. In both cases, we did not stop to consider security until the toothpaste was already out of the tube and could not be easily put back.

IoT will create a surge in software development that will be unprecedented in scope and reach. Why? It’s simple.

First of all, a connected device is, by definition, connected to the internet. Anything connected to the internet can be discovered and potentially infiltrated.

Secondly, for the device to function with any degree of intelligence, there must be software. Software not designed and constructed to be secure will contain vulnerabilities that can be exploited to gain access to the device.

Finally, devices collect data and send them to a collection point in a back-end application. If the device is compromised, it becomes possible to extract this data. Infiltration of a device provides hackers a pivot point to reach other targets. For example:

  • For consumers, the access to the home router may provide a path into the home’s alarm system.
  • For businesses, intrusion into a HVAC system may provide a path to POS systems, such as what happened at Target.

The bottom line is that software is an immutable part of the equation, as is all of the associated security issues. Many of the industries building IoT devices and embedded systems do not have the same experience level with software security as their counterparts in financial services and may not have mature software security initiatives. One problem is that the developers writing the IoT software will assume the developers writing the back-end application are handling security. Meanwhile, the back-end application developers are assuming the mobile application developers are handling security. And so it goes.

In other words, we are doomed to repeat the sins from web application development and mobile application development. Somewhere the ghost of Churchill smiles wryly. So how do we not pick ourselves up and hurry off as if nothing ever happened?

Improve your IoT software security


More by this author