Faulty by default, how do we build IoT software safely?
Faulty by default, how do we build IoT software safely?
A lot of 'things' and a lot of Internet means a lot of vulnerability. Image Source NSFOCUS

Faulty by default, how do we build IoT software safely?

The security vulnerabilities already present and prevalent across the Internet of Things (IoT) leaves a responsibility at the feet of the embedded software architects and software application development professionals building out the technology stacks that will drive the devices we use today, tomorrow and into the immediate future.

Faulty by default?

Surely our architectural approach to embedded software engineering needs a re-rationalization from ground zero? Stephen Gates, chief research intelligence analyst at NSFOCUS asks why do many IoT devices use default passwords? 

“Simple; when manufacturers build this type of technology they make it as “user-friendly” as possible.  Just plug it in and often it works. The real intention of the decision to ship every device with the same username/password is primarily designed to reduce customer support calls; which costs manufacturers money,” said Gates.

As we know, most IoT devices ship with the username of “admin” and the password is the word “password”.

“Some vendors may use different default combinations, but once you know what vendor does what, it’s easy from there. Manufacturers must do a better job of either insuring that each device has a unique default password, or they must force users to change the password once the default is entered, when the device is first installed,” insists Gates.

OPERATIONAL NOTE: One way of ensuring that each device has a unique password is to etch the devices’ default username and password on the unit itself. Even if a user did not change the default password, a hacker would have to gain physical access to the unit to determine its default username/password combination. This would go a long way to solving that problem if every device shipped with a different combination of login credentials.

If this problem is not solved on a global scale, analysts argue that soon we may see DDoS attacks that are capable of taking down major portions of the Internet, as well as causing brownouts, creating intolerable latency, or making the Internet and all the ‘Things’ in it unusable. 

The Kappenberger factor

Reiner Kappenberger, global product manager at HPE Security – Data Security agrees. He says that the IoT space has become a hot market where companies need to enter quickly with functionality to be considered leading the space.

However, with that approach where functionality is the leading indicator comes the risk that security measurements are pushed to the back of the development cycle and frequently then dropped in order to release a product. While some of these are easy to fix the problem can lead to new entrants into the market running out of business due to security not taking an equal position to features during development.

“The current lack of guidance and regulations for IoT device security is one of the bigger problems in this area and why we see breaches in the IoT space rising,” said Kappenberger.

“Typically computers have a lifespan of a few years. However IoT devices may be around for 10+ years before being replaced – especially in home networks. Companies working in this market need to consider this fact as over the years we have seen a constant flood of vulnerabilities in the tools being used and those systems need to be updated to patch those security flaws. As shown by this latest development, this is a broad problem that manifests itself on many IoT devices with extremely damaging results,” he added.

Kappenberger asserts that consumers that venture into the IoT space should identify the security measurements that have been taken to secure the device and ask about the long term support for the product.

The developer responsibility to IoT

Many commentators have already discussed the lack of standards across IoT software platforms. Still more have commented that the IoT security war has already been lost before it started and that it now comes down to how well we architect the Application Programming Interface (API) connections between devices — and how carefully software application developers start to ‘couple up’ the decoupled services that exist across the IoT.