Security concerns with connected devices has continually been voiced across all industries. Attacks on consumer connected devices in the home, in healthcare or within businesses, appear in the media evermore frequently. The largest concern is how could security fears affect the aggressive growth rate of the Internet of Things.
But the more important question businesses should be asking is “what to do about IoT Security?” Rather than any government inserting its force to improve security conditions, the innovator and early adopters forging into the unknown need to tackle security head-on.
One group based in the U.K. is making such a proactive move. A number of engineers have been drafting a document for an architecture to address the problem of delivering software updates to internet-connected things. The engineers including, Brendan Moran, Milosch Meriac and Hannes Tschofenig, stated that the connected device security problem is worse “when devices have a long lifetime, are deployed in remote or inaccessible areas or where manual intervention is cost prohibitive or otherwise difficult”. The latter is certainly the case for home-based consumer devices.
Here is a quick summary of the team’s security requirements for connected device software updates:
- Connected device updates have to use authentication to ensure malicious updates are an impossibility and protected against recovering the binary.
- Updates are medium-agnostic
- Updates support broadcast delivery
- Updates are secure
- Updates can use a small bootloader and don’t need a new firmware format
- Devices have “robust permissions” (including authoring, storage, apply the update, approval, and qualification).
The document further outlines how PKI should be used to manage those permissions, and update both the firmware’s digital certificate and a target device’s public key.
Although there may be many different ways to secure connected devices as we have covered here and here, the greater importance is around having an industry-wide conversation to form security standards and for businesses to accept the responsibility to design and implement such security standards in their products. Cost, time and other factors clearly dictate some aspects of what businesses can and can’t do. But security will remain a significant market impediment until it is adequately addressed.