Will more embedded device makers fix security before massive fines force them to do it?

Security of smart devices is getting worse, says a penetration testing expert, who blames suppliers of connected devices that ignore security and privacy issue notifications.

Is the answer more security regulations and laws, or is it better product strategy?

Computer Weekly reported this week on security expert Ken Munro’s comments in a conference presentation in which he blasted many embedded system suppliers for not seeming to care about securing their products.

Computer Weekly quoted Munro, senior partner at Pen Test Partners, as saying: “I have spent the past five years fighting manufacturers of smart products and trying to influence behavior and make products more secure, but, by and large, I have failed, because the security of smart devices is actually getting worse.”

Munro and his colleagues conduct penetration tests and research security vulnerabilities in a range of systems and devices, such as automotive systems, Internet of Things (IoT), mobile devices, and many others.

“My experience with almost every single IoT supplier we have ever disclosed (a vulnerability) to — and we have done two to three disclosures per week for the past four years — is that they simply ignore us, nothing happens and they carry on selling their product, profiting out of making people vulnerable,” Computer Weekly quoted Munro as saying.

Munro’s sentiments reflect those of legislators and regulators in many jurisdictions who have begun to scrutinize the security issues and breaches associated with IoT, smart devices and other embedded systems. The feeling among many lawmakers and industry observers is that some manufacturers must be forced into making more secure products through tighter regulations and laws carrying stiff penalties.

Regulatory Answer?

A few weeks ago, California became the first state in the US to enact legislation specifically requiring security for IoT devices. The measure expressly requires device manufacturers to equip their devices with security features that “protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”

Some in the security community feel the new law creates more problems than it solves, accusing the legislators of creating a vague law that will be ineffective while being costly to implement.

“This law is based upon an obviously superficial understanding of the problem,” wrote security expert and blogger Robert Graham. “It in no way addresses the real threats, but at the same time, introduces vast costs to consumers and innovation.”

And others in the industry feel the California law does not go far enough.

“California’s new IoT security law is not nearly enough,” wrote Sudhakar Ramakrishna, CEO of encryption and secure access vendor Pulse Secure, in SC Magazine.

“We need a GDPR for IoT … NOW!” he added, citing the European Union’s General Data Protection Regulation, a measure that went into effect this year that levies huge fines and penalties potentially amounting to millions of dollars on companies that misuse consumer data and fail to protect its privacy.

Designing & Maintaining More Secure Products

But smart makers of smart devices are already looking for ways to bring more secure products to market, before they are forced to do so by massive fines. And that’s simply good product strategy. A more secure product is a differentiated product and gives your offering a competitive advantage in the marketplace.

The strategy, then. is to design your products with security at the outset, and also make it easy to maintain that security posture once they are in production deployment.

Best practices include:

• Device hardening — closing security gaps in configurations and limiting the damage an attacker can do if they compromise the device.
• Security testing and security audits — pinpointing areas of potential compromise during design stages, by inventorying and understanding the open source components in your system and any associated vulnerabilities.
• Secure boot — designing the system to verify code authenticity before execution and to maintain a chain of trust from bootloader up to applications.
• Encryption and key storage — ensuring data is processed and stored in a protected, encrypted manner as appropriate to the device.
• CVE monitoring & management — identifying vulnerabilities that affect your systems and embedded components for products in production with end customers.
• Patch monitoring & management — tracking patches for system components and ensuring products in production deployment can be patched securely and quickly.

Timesys has helped ensure Internet of Things device security and cut the risk of data breaches in device makers’ products for a range of industries, including healthcare, manufacturing, transportation and industrial controls. We specialize in embedded Linux security, IoT security, and embedded system security for open source software.

Our Threat Resistance Security Technology (TRST) Product Protection Solutions include offerings that can help you to ensure products are secure by design and will stay secure throughout the product lifecycle.

Contact us today to learn more.

About Timesys

Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.