Testing is the only way to ensure organisations using internet of things (IoT) devices remain secure, but that testing cannot be confined to internet-connected devices alone, warns Deral Heiland, IoT research lead at Rapid7.
“The most important point is that when we are thinking about security in IoT, let’s not over-focus on the embedded technology hardware, which is what researchers, testers, companies and customers tend to do,” he told Computer Weekly.
“It is important to include the whole ecosystem of a product. All the pieces that make an IoT solution work need to be considered, not just the device hardware, when we are thinking about the overall security model and risk of the product.”
These elements typically include things like network communications, the radio frequency communications, cloud APIs (application program interfaces), mobile apps, cloud services, and command and control applications found in the mobile and cloud-based pieces of an IoT system.
According to Heiland, it is not uncommon to find issues with every one of these elements making up an IoT system, but they are typically at different levels of severity.
Device manufacturers are the most obvious organisations to have security testing processes in place to assess products and services before going to market, which can alleviate “a massive amount” of the risk, said Heiland.
Allied to this, manufacturers need to ensure they have effective patching or software updating mechanisms and processes in place, so problems can be fixed when they arise.
“Vulnerabilities are never going to go away, but – like Microsoft did – this problem can be tackled by having an effective patching process to greatly reduce the risk, which consumers, both organisations and individuals, should expect and demand from manufacturers,” said Heiland.
For Full Story, Please click here.