Enterprises in all sectors are looking to smart connected products to launch new services, improve operational efficiencies or make users safer. But they will struggle to sell services if security concerns weigh heavy on buyers. For example, Park Research found that 71% of U.S. broadband households with smart home devices were concerned about cybersecurity, and over 40% didn’t trust companies to keep their data safe.
To address these concerns, businesses are putting security at the top of the agenda. A report from GSMA Intelligence and Orange found that 85% of enterprises have changed their security practices because of their IoT deployments. Most (61%) now saw a security-first strategy as a competitive differentiator.
Any security strategy needs to encompass the device hardware, software, data, communications and system design. For example, IoT devices pose a particular challenge for security. Although well connected, they typically have low compute capacity and are often located in areas that make good security practice a challenge. Enterprises will also have to handle data very carefully as it can include personal data and other critical information.
With this in mind, we suggest 13 best practices for designing and developing secure smart connected products and services.
1. Use standard cryptography
There is no need to reinvent the wheel in terms of cryptography. Find a suitable algorithm and a library and concentrate your efforts on their implementation and use. Trust the experts and remember that vulnerabilities are rarely on the specifications. Lightweight cryptography is suitable for most IoT applications.
2. Communicate securely
In addition to securing data on the device, cryptography is vital to secure communications from and to the device. Any sensitive data, including remote management and control, should be encrypted in transit. All keys will also need to be managed securely.
3. Store credentials and security-sensitive data in a secure way
It is important to store credentials securely both on the server side and on the device. However, hard-coded credentials in device software are not acceptable. Obfuscation is not the solution. This is because reverse engineering can easily discover hard-coded credentials and secret keys. Where possible, rely on hardware mechanisms.
4. No default password
Do not use default passwords such as “admin/admin” or more complex passwords that can be reset to a universal factory default value. Each device should have a unique password.
5. Reduce attack surfaces
A few principles must be applied as far as devices and services are concerned. First, use the “principle of least privilege” to give users and services the minimum access required to carry out their tasks. Second, software should run with appropriate privileges, taking into account both security and functionality. And third, close unused ports, and remove services if they are not used.
6. You must validate input data
If your service exposes a user interface or an API that is getting information, it is essential to validate incoming data. This is because bad types of data or out-of-range data are risky for your application. Controlling and treating these inputs before they reach the device allows you to reduce your exposure.
7. Ensure software integrity
Software on IoT devices should be verified using secure boot mechanisms. Using custom firmware is a security risk. The device should alert the consumer or administrator if a problem is detected. In addition, the device should not connect to wider networks than those necessary to raise the alert.
8. Make systems resilient to outages
IoT services should remain operating and locally functional in the case of a loss of network. They should also recover cleanly when restoring after a loss of power. When reconnected, devices should return to a network in a sensible state and in an orderly fashion. It is important to avoid a massive scale reconnect.
9. Ensure that personal data is protected
Where devices and/or services process personal data, they shall do so in accordance with applicable data protection laws, such as GDPR. Device manufacturers and IoT service providers will need to provide consumers with clear and transparent information about how their data is being used, by whom, and for what purposes for each device and service. This also applies to any third parties involved, including advertisers. Where personal data is processed with consumers’ consent, this shall be validly and lawfully obtained, with those consumers being allowed to withdraw it at any time.
10. The customer must remain the owner of his personal data
Consumers should be given clear instructions on how to delete their personal data. This data must be easily removed from the system when asked. It could be for any reason, but a typical example is when a device is resold.
11. Implement a vulnerability disclosure policy
All companies that provide Internet-connected devices and services should define a vulnerability disclosure policy. They must provide a public point of contact so that security researchers and others can report issues. Any disclosed vulnerabilities should be acted on promptly. There are standards available, such as CVD, that are simple to implement.
12. Keep software updated
It is vital to keep software up to date, and all software components should be securely updateable. The updates need to be timely and easy to implement and should not impact the functioning of the device. For devices that cannot physically be updated, the product should be isolatable and replaceable. In addition, publish an end-of-life policy to make it clear how long a device will receive software updates.
13. Monitor system telemetry data
If telemetry data is collected from IoT devices and services, it should be monitored for security anomalies. It is possible to detect malicious usage of a device from data usage and measurement data. And be sure to take care of any collected personal data.
José joined Orange Cyberdefense as Global Chief Technology Officer in 2021 and is approaching 25 years of experience in the field of cybersecurity. He was previously head of the expertise at the French national cybersecurity agency (ANSSI) and before that, head of the European cybersecurity department for the Bell Laboratories of Nokia. José is involved in leading research and innovation at national and European levels. He acts as an expert for the European Commission for France and Belgium and is a member of the Inria ethical committee and the AFNIC scientific committee.