20 Jul, 2020

DevSec For IoT

by nVisium

It seems that every day we wake up to new devices being made “smart” by attaching them to the internet and giving them computational capabilities to collect, monitor, analyze and report on data. Did you ever wonder that while these new devices are adding value to your life are they in fact creating even more security vulnerabilities in the process?

iot is pervasive

If you have been living under a rock for the last decade and are not familiar with the Internet of Things (IoT) then Wired Magazine explains it as:

“In the broadest sense, the term IoT encompasses everything connected to the internet, but it is increasingly being used to define objects that "talk" to each other.”

And goes on to say:

“By combining these connected devices with automated systems, it is possible to "gather information, analyse it and create an action" to help someone with a particular task, or learn from a process. In reality, this ranges from smart mirrors to beacons in shops and beyond.”

IoT being pervasive is actually two-fold. On one hand, IoT devices are now showing up everywhere in both consumer and business environments. On the other hand, the concept of pervasive computing is ideally suited for IoT as explained by UX Collective:

“So the idea of the Pervasive computing is embedding the computational capability into the everyday objects to make them effectively communicate and perform useful tasks in a way that minimizes the user’s need to interact with computers as computers. Unlike the desktop computers pervasive computing can occur at any time, with any device, in any place, with regardless of the data type on any given network. So this leads IoT enabled devices to perform actions while understanding the context. The goal of pervasive computing is to make these devices smart, adapt to their surroundings and improve the human experience in day to day life.”

Given the growth of demand for IoT, it is incumbent on the development community to understand the unique security requirements that need to be accommodated for these connected (and pervasive) devices.

devsec for iot

IoT presents its own unique set of security challenges and requires a broad skillset for assessing. IoT assessments done correctly will identify weaknesses in an entire IoT architecture including software, hardware, API, and web and mobile components. The four critical success factors for IoT DevSec to achieve this include:

  1. Source code review: use a combination of static source code analysis and manual inspection to identify vulnerabilities in the system’s source code.
  2. Software and hardware testing: assess the IoT system dynamically through manual interaction to find and validate vulnerabilities.
  3. Forensic analysis: analyze the physical devices for extraneous data leakage and pivot points that may affect the overall security posture of the IoT system and its users.
  4. Reverse engineering: inspect binaries for flaws in compilation and deployment that may be leveraged by an attacker.

Ultimately, vulnerabilities will need to be assessed in the following categories to be comprehensive: Secure communications, Memory corruption, Management interfaces, Usage of platform-security protections, Data storage and persistence, Cryptographic analysis, Protocol-level analysis, System update mechanism, Local and remote authentication, Authorization and access control, Backend application and infrastructure security, Mobile application integration.

This level of comprehensive is more difficult than you may think. An IBM Big Data & Analytics Hub blog titled “Designing a secure and scalable Internet of Things ecosystem using multiagent systems” has this warning:

“The Internet of Things (IoT) introduces both security and epistemic challenges having to do with data ontology, network science and system engineering. Because the loosely coupled architectures of the IoT ecosystem enable seamless connectivities that span heterogeneous industries and networks—often using public networks and application programming interfaces (APIs)—the ever-expanding IoT ecosystem introduces architectural, operational and security challenges.”

Securing and testing IoT security requires a unique skill set and approach. To be thorough, you will need to perform an initial threat model of the IoT device’s infrastructure and perform testing against its hardware, software, APIs, as well as all the different protocols being used.

coding for iot realities

Before you start planning, developing and testing IoT devices on your own, it may be time to look to a partner who can help train your developers on the latest and greatest techniques specific to IoT DevSec as well as provide the critical 3rd party assessments before going into the production phase.

nVisium empowers organizations to eliminate application and cloud security vulnerabilities before cyber threats exploit them with proven in-depth security assessments, remediation and training programs. Our experienced team of security-savvy developers and engineers guide organizations to build best practices with high ROI into their engineering and development lifecycles across applications, operating systems, networks, mobile, cloud and IoT through services, software solutions and R&D unique to business operations and compliance initiatives. Additionally, nVisium provides a fully managed platform for tracking and measuring performance as well as instructor-led and online training.

Are you ready to move into IoT development? Our IoT assessments identify weaknesses in an entire IoT architecture including software, hardware, API, and web and mobile components. Give us a call to help train your team or better yet, schedule a consultation today.

AppSec Internet of Things IoT security DevSec

You might also like:

Get Security Assessment Tips Delivered to your inbox