An OEM's Guide to IoT, Part 3: Security Isn't a Choice

By | October 20th, 2016 | Internet of Things, Zipit |

IoT Security has to be planned and designed into products from the beginning and not tacked-on as an afterthought. Period.

The reports of cars that have been taken over by hackers, medical devices that are allegedly not as secure as they need to be, and other security oversights, put people and their data at risk and frighten away potential buyers (and even suppliers) of those products, slowing down the realization of a connected world with more efficient industry, better population health, and arguably safer roads.

While yes, it will always be a cat and mouse game that we as an industry play and products may never be 100% hacker-proof, we as service providers and IoT developers have a responsibility to apply common sense and follow security best practices from the outset. After all, you wouldn't design a laptop without security, why design a medical device that way?

Zipit knows a thing or two about product design.

In fact, we have an extensive background in product design and development stretching back for more than a decade. Our first branded product was a Wi-Fi instant messaging device, used primarily by teens and pre-teens in early 2003.

From the beginning, we took the proper precautions to design-in security, and not just because we wanted to protect the company's infrastructure and intellectual property.  It was the right thing to do, especially because our devices would be used by teens and pre-teens, people that are now routinely identified as targets of everything from cyber bullying, spyware attempts, or worse.

In the first release of the Zipit Wireless Messenger product, we actually designed in a special hardware encryption chip that we would enable through an Over the Air (OTA) software update upon first connection to the Internet. This upgrade path was designed so that we could securely provide new features to our product as the needs of our customers evolved. Lo and behold, we were amazed at how quickly the repurpose (read: hacking) community started to modify the original device using the upgrade facility we built into the solution. Let's be clear about what we are saying here. The device and the software on our device was never compromised through this upgrade path.  People were able to modify the device for their purposes but never able to touch or modify the core functionality of our product and the market we were serving.  People repurposed the device for uses outside of what we envisioned would be possible.  There were some very creative applications that were created as part of these efforts.

We did not envision that this device would attract genuine interest from enterprises or professional groups mainly due to its hardware and software limitations. It was an inexpensive device at $99, with 8MB of RAM, a 16-bit CPU, running embedded Linux.  It just happened to be the first sub-$100 embedded Linux computer and many people had ideas for it that we did not originally conceive of. Eventually, a software company licensed our hardware for an education market which we fully supported.

In our 2nd version of the product, we added all the technical requirements to keep tinkerers busy but with the proper support from us: an SD expansion slot with the ability to boot into a different version of the operating system, an expansion port with documented pinouts, a color screen and a lot more CPU and memory, and a development wiki and license agreements.  We liked the idea of being an enabler for other markets even back then but the right plan and support infrastructure needed to be put in place.

Fast forward to the IoT products we work on today.

We continue to develop them with security in place, not just for the same reasons I stated earlier (protecting infrastructure, IP, content and the physical devices) but also because now that more people are developing for the IoT than ever before, companies can no longer accurately predict the use case opportunities available to their products.  This means security must be put in place, even if it initially does not seem logical to design-in encryption in say, an outdoor trail camera used by the hunting community.

The same outdoor camera designed to capture images of wildlife scurrying through the woods, could easily end up being used in different locations like the back of a home as part of an overall security system. In the wrong hands though (and without implementing proper security) people with nefarious ideas could try to compromise the content on that device and that could hurt the product and companies behind it.

Even State and Federal government entities are working to ensure IoT security measures are being taken, legislating patient privacy laws to ensure connected medical devices which may transmit protected health information, are kept secure and encrypted at all times.

In addition, there are many companies and standards bodies working on IoT security initiatives like this to ensure that the Internet of Things is a world we can all benefit from.

We've asked Lee Stogner, certified PMP, and member of the Future Directions Committee of The Institute of Electrical and Electronic Engineers, The IEEE, to share info on the IEEE's initiatives that focus on addressing security challenges:

With resources from around the world, the IEEE has divided the problem into areas that can be more easily addressed.
These include:

  • The Smart Grid
  • Transportation Electrification
  • The Internet of Things
  • Cloud Computing
  • Big Data
  • Smart Cities
  • Artificial Intelligence
  • Hardware and Software Standards
  • Cybersecurity

Within these areas, experts have created Publications, Training, Standards, Conferences and Forums where people, companies and government can talk and find ways to solve security problems.  The result is an international team that is working together.  The IEEE does not work by itself but works with other international private and government groups to ensure that cybersecurity solutions are universal and can be used by everyone.

For a quick introduction into what the IEEE is doing, go to http://theinstitute.ieee.org/static/special-report-cybersecurity

For ongoing IEEE cybersecurity information, go to http://cybersecurity.ieee.org/

We cannot predict how all IoT products will eventually be used or what amazing possibilities they will enable. What we can predict is that there will always be creative people finding new ways to utilize them and in ways we may never have considered. Some good, some bad.

We just need to prepare for both.

If your company is interested in leveraging IoT technology, or has questions about the security considerations that need to be taken to provide a best-in-class IoT solution, get in touch with us today so we can assist you.

By | October 20th, 2016 | Internet of Things, Zipit |