5 Rules for Manufacturers in Securing the Internet of Things
Posted by Venkat Rajaji
I bought a new car this past weekend, and it’s absolutely amazing how much technology, computer systems, and even Internet connectivity exists within the car. It’s not just my car, but all cars, are looking more like computerized spaceships than the simple cars I grew up with. It makes my life as a driver so much more convenient and adds a lot of new safety options that I never thought possible. And, it’s not just cars. Manufacturers, and products in general are getting smarter, adding more luxurious features, and adding so much software and technology that they are making lives of consumers better every single day.
At the same time, as someone who works in the information security industry, this of course scares the daylights out of me. While the speed in which manufacturers create and release new technology becomes faster and faster with each passing year, the security of these devices has failed to keep up. As a manufacturer, are you constantly testing your devices to make sure that you not only know what vulnerabilities exist but also how to patch them? As a customer, do you believe that your device is as secure as possible?
Here are 5 rules manufacturers should follow to keep customers safe in the world of the Internet of Things:
Scan, Test, Patch Repeat – You wouldn’t send out a new smart phone without making sure that it can connect to the internet or make a call, so why would you send it out if you didn’t know the security features were in tact? Before sending out any piece of equipment to consumers, you should be scanning, testing and patching vulnerabilities. However, just because the device is out the door and in the hands of consumers doesn’t mean your job is done. You should be consistently checking your device and software, especially with each new update, to ensure your security patches are holding and that there are no new patches needed.
Be Transparent with Vulnerabilities – If you have scanned, patched and verified your devices from step one then you are well on your way here. However, you need to make sure that these vulnerabilities, along with their patches, are prominently displayed on your website for all to see. I know this may seem like you are posting your shortcomings, but you are actually showing your commitment to each customer to make sure that their experience is the best it can be. Let’s go one step further here, are you in healthcare? If so, your devices and their security can be a matter of life and death. For any industry where your devices play a critical role in someone’s well-being or livelihood, make sure you are also reporting these vulnerabilities, and patches, to the appropriate governing body like the FDA.
Notify Users of Significant Changes and Make Updates Easy - How can you tell what is significant? If it impacts the way the device should be used or if there are feature changes that will remove or alter safety features or introduce a safety hazard, all users of this device should be alerted. Yes, I think push notifications are extremely annoying too and tend to opt out of them whenever possible. However, these notifications are the fastest way to not only alert users of security updates but with a few clicks it makes downloading these software patches extremely easy.
Give Humans the Power to Opt-Out – I understand that the features in your device are amazing, life-changing even. However, when a device or its software affects someone’s life, they deserve a say in how they use it. It’s as simple as that. Especially if the software or its updates are in a life-saving healthcare device. The doctor and the patient must not only understand the features but need to come to an agreement on how and when they will be used. So yes, while sending an automatic order to the grocery store when you are out of milk seems innocuous, your customers should still get a say in how and when that order happens.
Reinforce Security with Password/Input Authentication – I don’t know about you but my kids are regularly playing with my phone creating numerous selfies and rearranging my phone apps into a pattern only a five year old could understand. Why is that? Well, I made the mistake (ONCE!) of showing them my password. Now, while these changes aren’t that big of a deal (some of the selfies are actually pretty funny), it would be a completely different situation if that same password unlocked my bank account or some other crucial application. Similarly, as a manufacturer, make sure to reinforce and tell your customers to reset the default passwords associated with your device (e.g. the default password for a digital camera). This is one of the easiest ways for bad actors to take advantage through IOT devices through the default password for the product out of the box. When building in the ability to make changes to your device, make sure to put extra authentication in place. Whether it is using biometrics or multi-factor authentication, when you are giving humans the ability to change their settings, make sure it is the right human and not a mistake made when looking for a game of Candy Crush or worse a bad actor looking to steal their data.
Even though it seems like we have been talking about it forever, IoT is still in its infancy when we think of the possibilities in just the next few years. As a manufacturer, you should be on the forefront of not just the next innovation but the next way to keep these devices safe for consumers and fortified against bad actors. Test your products. Alert your customers. Make updates easy and transparent. By doing these things you will not only build the best products but the best reputation for safety and security in the internet of things.