IoT

IoT Security Audits (1/4)

Are you developing or have you developed an IoT product but you are not sure how to address its security?

Here are some tips:

  1. Do a third party security audit
  2. Do another third-party security audit
  3. Do a third party security audit
  4. Go back to step 1

Joking apart, with the latest events related to ransomware, organizations are starting to be more aware of the importance of embracing cybersecurity within their IT environments. But even a more important aspect of security for some companies is to provide security in the products they are selling. Companies manufacturing and selling connected devices are responsible for protecting their customers from potential cyber-damages when using their products. Additionally, embedding security by design in a product is today a value-added differentiation.

It is important to understand that IoT product security is quite different from traditional IT security:

  • IoT devices are generally constrained in resources due to low cost and low power consumption needs
  • IoT devices are not generally exposed to human supervision, so physical attacks are an important surface to cover
  • Scalability of the problem is higher, where deployments can involve thousands of devices
  • Fragmentation and market immaturity makes devices very heterogeneous

The best strategy when it comes to security is always to join forces with an external partner. Equipment manufacturing companies have to dedicate their resources and focus on providing the best quality products, so externalizing security to an expert who can provide a qualified outsider view on the product and development processes is the right approach.

In TipTap Labs, we provide a turnkey solution for IoT product security audits, including different phases that can be provided individually or as a whole:

  1. A Threat Modeling
  2. Equipment reverse engineering
  3. Code audits
  4. Penetration testing
  5. Issue resolution follow up and recurrent reviews

In this series of blog posts, we will be addressing some of the challenges, bits, and pieces of each IoT product security audit phase. The next blog post will review the IoT risk assessment processes and threat model generation. Subscribe to our social networks: Twitter, Facebook, Linkedin, Google +, if you are interested, and do not hesitate to contact us and say hello!

………………………………

Article written by David Purón, Founder and Chief Executive Officer at Barbara IoT.