With just a few shopping days left before Christmas, the retail frenzy is at its height. Judging from the plethora of products touted in all of the sales flyers and commercials, it seems that this is the “smartest” season of the year. It is hard to ignore that more and more products are connected via the Internet, from smart thermostats and lights to beverage containers with an app that remind you it is time for a drink - all programmable from a phone, tablet or other connected device. As so many have predicted, the IoT is here and here to stay. Depending upon which analyst organization you follow, it is anticipated that there will be billions of connected IoT devices operating in the global ecosystem within a few years.
As consumers readily scoop up the new generation of smart gadgets, you have to wonder how many truly understand the potential dangers that exist in these very powerful devices, many of which are small enough to fit in the palm of your hand. We in the industry, of course, understand the potential vulnerabilities in IoT devices and the many ways in which nefarious actors can use them for malicious purposes, exposing personal and private data, IP, and critical infrastructure to cybercrime.
A December 2016 report released by the Institute for Critical Infrastructure Technology (ICIT), Rise of the Machines: The Dyn Attack Was Just a Practice Run, provides the gory details of many of the most recent cyber-attacks and further warns of the potential mayhem that awaits us.
“Each device vulnerable to adversarial compromise, inflates and bolsters the exploitable cyber-attack surface that can be leveraged against targets, and every enslaved device grants adversaries carte blanche access that can be utilized to parasitically entwine malware into organizational networks and IoT microcosms, and that can be leveraged to amplify the impact and harm inflicted on targeted end-users, organizations, and government entities,” warns report co-author James Scott, Sr. Fellow, ICIT.
In many cases, as pointed out in the report, negligently developed IoT software and hardware is responsible for creating vulnerabilities in these devices and exposing them to attacks. And the problem will only get worse as more manufacturers rush to develop IoT devices to carve out their share in the rapidly emerging market and stay competitive. The ICIT report reasoned that “Device manufacturers do not include security-by-design due to lack of time, expertise, and economic incentive.”
Yet, security-by-design is the critical element in the manufacturing and delivery process to provide the protections needed to thwart cyber criminals. Unfortunately, many device manufacturers are not experienced in software development and certainly not familiar with the nuances and complexities of embedded software security. Additionally, until the emergence of connected devices and the IoT in the past decade, software was considered a cost center for hardware manufacturers who did not understand the monetization possibilities that software can bring.
Fortunately, there is a silver lining amidst the cyber doom and gloom. There are security technologies that exist today and companies with the expertise to work with device manufacturers to integrate these technologies in a cost-effective manner to provide the necessary protections. Manufacturers can also learn how to monetize the software embedded in these devices by employing creative, device-oriented licensing strategies.
To learn more about these security-by-design concepts, download our white paper, Licensing and Security for the IoT. The document details mechanisms for security integration into devices and software, secure upgrades and updates, licensing models tailored to IoT devices, license management, access rights and certificates, scalability, and protection against tampering, reverse engineering, copying or cloning.
