Are you developing or have you developed an IoT product but you are not sure how to address its security?
Here are some tips:
- Do a third party security audit
- Do another third party security audit
- Do a third third party security audit
- Go to step 1
Jokes apart. With the latest events related with ransomware organizations are starting to be aware about the importance of embracing cybersecurity within their IT environments. But even a more important aspect of security for some companies is to provide security in the products they are selling. Companies manufacturing and selling connected devices are responsible for protecting their customers on potential cyber-damages when using their products. Additionally, embedding security by design in a product is today a value added differentiation.
It is important to understand that IoT product security is quite different to traditional IT security:
- IoT devices are generally constrained in resources due to low cost and low power consumption needs
- IoT devices are not generally exposed to human supervision, so physical attacks is an important surface to cover
- Scalability of the problem is higher, where deployments can involve thousands of devices
- Fragmentation and market immaturity makes devices very heterogeneous
The best strategy when it comes to security is always join forces with an external partner. Equipment manufacturing companies have to dedicate their resources and focus on provide the best quality products, so externalizing security to an expert who can provide an qualified outsider view on the product and development processes is the right approach.
In TipTap Labs, we provide a turnkey solution for IoT product security audits, including different phases that can be provided individually or a a whole:
- A. Threat Modeling
- Equipment reverse engineering
- Code audits
- Penetration testing
- Issue resolution follow up and recurrent reviews
In this series of blog posts we will be addressing some of the challenges, bits and pieces of each IoT product security audit phase. Next blog post will review the IoT risk assessment processes and threat model generation. Subscribe to our social networks: Twitter, Facebook, Linkedin, Google+ , if you are interested, and do not hesitate to contact us to and say hello!