​Cloud Security Alliance lays out security guidelines for IoT development

The Cloud Security Alliance has published guidance for the Internet of Things development community on how to best prepare for the security challenges the future connected world will present.
Written by Asha Barbaschow, Contributor

The Cloud Security Alliance (CSA) Internet of Things (IoT) working group has published a report to guide designers and developers on basic security measures it believes must be incorporated throughout the development process.

The report, Future-proofing the Connected World: 13 Steps to Developing Secure IoT Products, says that because IoT is broad-ranging and developing at great pace, identifying controls that can be applied against IoT products is difficult, noting its main reason for compiling the report is to give designers and developers a starting point to work from.

According to Brian Russell, chair of the CSA IoT Working Group, an IoT system is only as secure as its weakest link.

"It is often heard in our industry that securing IoT products and systems is an insurmountable effort," he said. "We hope to empower developers and organisations with the ability to create a security strategy that will help mitigate the most pressing threats to both consumer and business IoT products."

With predictions of in excess of 50 billion devices connected by 2020, the report says adding interconnectivity between devices and existing network infrastructures open up new attack vectors that many will attempt to exploit.

"The consequences of a particular IoT product being used to compromise sensitive user information or worse, to cause harm or damage, will be catastrophic to the product vendor," the report says.

Pointing to the VTech breach of late last year, the report says that the interesting take-away from the event was that the devices themselves were not compromised, rather the online services that devices connect with were not sufficiently secured.

Toy maker VTech admitted late last year that hackers were able to exploit wide-open security holes in its company computer systems, stealing non-personally-identifiable data from 200,000 children who use its Kidizoom smartwatches, InnoTab tablets, and related connectivity apps.

Shortly after, it was revealed that hackers had also made off with "hundreds of gigabytes worth of profile photos, audio files, and chat logs -- many of which belong to children."

When it comes to Distributed Denial of Service (DDoS) attacks, the report says that IoT devices prove to be useful to those wishing to perform such attacks, given the substantial quantities associated with IoT products.

"These capabilities are driving the human out of the decision-making loop in many instances and as we rely on IoT products to do the basic thinking for us, we will need to make sure that those products and their associated services and interconnection points are each developed as securely as possible," the report says.

As the title of the report suggests, the CSA group laid out 13 considerations for producing secure IoT devices in a bid to mitigate some of the common issues that can be found with IoT device development.

These included the necessity for designers and developers to implement a secure firmware and software update process from day one.

It suggests securing product interfaces with authentication, integrity protection, and encryption as well as obtaining an independent security assessment of the IoT products in production.

The report also recommends securing the companion mobile applications and/or gateways that connect with the IoT products as well as implementing a secure root of trust for root chains and private keys on the device.

"Startups in the connected product/system space are challenged with getting their products to market quickly," Russell added. "Finding the right talent to help secure those products early in the development cycle is not an easy task."

Last month, the Office of the Australian Information Commissioner (OAIC) found that 71 percent of IoT devices and services used by Australians failed to adequately explain how personal information was collected, used, and disclosed.

OAIC conducted the review from April 11-15 this year, in unison with fellow international regulators through the Global Privacy Enforcement Network (GPEN), which comprises 25 participating data protection authorities.

When it comes to the collection, use, and disclosure of data, the OAIC also revealed in its sweep that 27 percent of businesses did not indicate whether personal information would be shared with third parties.

The OAIC found that some organisations did not make it clear what information would be collected, reporting that it was unclear whether a username, address, phone number, date of birth, phone, or browsing history was stored by over a third of the businesses whose privacy communications were looked into.

Overall, the global sweep found that about 72 percent of businesses did not clearly explain how a user could delete their personal data from the device or app, with 38 percent of devices also failing to provide easily identifiable contact details that customers could use if they had privacy concerns.

Editorial standards